Do you trust the source of the packages?

[Jeff Spaleta]

On Wed, Jul 15, 2009 at 10:03 AM, brian<fedora at logi.ca> wrote:
> I just tried to run software update again and got the following msg:
>
> -- snip --
> Do you trust the source of the packages?
>
> Repository name: updates
> Signature URL: /etc/pki/rpm/-gpg/RPM-GPG-KEY-fedora-i386
> Signature user identifier: Fedora(11) <fedora at fedoraproject.org>
> Signature identifier: D22E77F2
> Package: xfsprogs-3.0.1-6.fc11
>
> Do you recognise the user and trust the key?
> -- snip --
>
> Well, yes, I recognise that. But how can I know to trust it? I see the email
> address is at fedoraproject.org but I have no idea how to interpret the
> "Signature identifier" nor whether updates can be spoofed. I'm not being
> paranoid--I figure this may have something to do with the recent updates
> issue and it's probably fine. I'm just curious about this. What criteria
> should I use to decide whether or not to accept this?

That's actually a very hard question. Asking someone else to tell you
what to trust implies you already trust the person whom you are
asking. How exactly do you make the determination to trust what I'm
going to tell you if you don't know how to assign trust already? Even
if you do trust the person I am claiming to be, how do you know I'm
really that person and not someone sitting at his desk while he's
getting coffee and forgot to lock his computer screen?  Deep.

What a GPG signature on a package lets you know is that a person
signing the package is the person who had access to the key(typically
password protected key).  That is all it does. Everything else is your
discretion and judgement as to whether you trust that person or the
package.

When you see a GPG signature which purports to be the key for a
specific repository how do you know it really is the key the
repository admins are using? I could easily produce a new GPG key
meant to confuse you and sign packages in my own repository with that
key. I could then trick you into configuring that repository. How
would you verify that my key was not the official Fedora project key?
The most practical thing to do it is to go to the repository in
question and independently verify the key they are using.  In the case
of Fedora: http://fedoraproject.org/en/keys
Is that enough of a trust verification for you personally? If I told
you it was, should you trust me about that? Even then, can you be sure
the key you are seeing on that website is the right key?

You could look for it on a 3rd party gpg key server like pgp.mit.edu..
but again then you have to trust that it wasn't uploaded by someone
else. To trust a key beyond that you need to use a "web of trust"
metric which examines who has signed the repository key.

For real people...an entire protocal has been established for meeting
face-to-face and signing each others GPG keys after verifying each
other's identify via government issued documents like drivers licenses
or passports.  This process if adhered to builds a "web of trust."  If
you have met me and certified that I am who I say I am..and trust me
to verify the identify of other people in a similar manner...you can
assign trust to the validity of any GPG key I have personally signed.
And on and on..making a network..of mutually signed keys..backed by
face-to-face identification verification. But how exactly would you do
that with a project wide or repository key? Hmm?

gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-i386
will give you the necessary information to do a lookup on pgp.mit.edu
For the project key.

For the F10 key I see jkeating has signed it. Do I trust jkeating?
Yes. Not with my life but with my computer systems sure.  Do I trust
that is actually jkeating's digital signature? I haven't signed his
key so I've not done the necessary verification myself. So how do I
know? Well if you look at signed his key...and then you look at signed
their keys...on and on..eventually I may find that I have signed
someone's key in the web of trust associated with jkeating's key.
Assuming everyone in the link between me and jkeating in the GPG web
of trust  did everything they were suppose to do to verify
identity...then I can probably trust the that the key really is
jkeating's key and thus jkeating trusts the key claiming to be the
Fedora 10 key.  But what if I don't trust anyone in the web of trust
around the jkeating key?

See how deep this is. Unless you already trust someone, you can't
trust anyone. Even the personal verification protocal can be abused if
people want to use false identification. Very few of us are equipped
to actually detect false government documents.  Deep.

And that's just a discussion of the complication of defining trust
strictly in terms of identity...without talking about trust as a value
judgement.  You could trust my key to be my key...but you may not
trust me to create non-malicious packages. Deep.

-jef