Should Fedora rpms be signed?

Peter Jones pjones at redhat.com
Mon Nov 1 17:30:20 UTC 2004


On Fri, 2004-10-29 at 15:36 +0200, Nils Philippsen wrote:
> On Fri, 2004-10-29 at 09:18 -0400, William Hooper wrote:
> > John Burton said:
> > [snip]
> > > As far as signing packages vs. signing meta-data... Digital signatures
> > > are like real signatures, you want to make sure they are actually attached
> > > to what you are signing.
> > [snip]
> > 
> > IIRC the discussion was that signed meta-data would have the signatures
> > attached to the MD5sums of the packages.  The MD5sums of the download
> > could then be checked against the meta-data, verifying that the package is
> > the same as the package used to create the meta-data.
> 
> This still forces me to use special tools like up2date and yum to access
> the packages if I want to verify their origins.

See my mail (earlier today) regarding the fact that our package
signatures represent an implied certificate.  What we want is another
certificate, preferably of a type that is not implied.  This could be
stored (assuming it has the cryptographic hashes of the package in it)
in either the metadata or in the package itself.

What's important is that it can be differentiated from the normal
package signature in a programmatic way which does not require knowledge
of specific signing keys.
-- 
        Peter

"Obviously, a major malfunction has occurred."
                -- Steve Nesbitt, voice of Mission Control, January 28,
                   1986, as the shuttle Challenger exploded within view
                   of the grandstands.




More information about the fedora-test-list mailing list