15

Fedora uses GPG-keys for signing RPM packages and ISO checksum files. They list the keys in use (including fingerprints) on a web page. The web page is delivered via https.

For example the checksum file for Fedora-16-i386-DVD.iso is signed with key A82BA4B7. Checking who signed the public key results in a disappointing listing:

Type bits/keyID    cr. time   exp time   key expir

pub  4096R/A82BA4B7 2011-07-25            

uid Fedora (16) 
sig  sig3  A82BA4B7 2011-07-25 __________ __________ [selfsig]

It seems that nobody from the Fedora community has signed these important keys!

Why? ;) (Why doesn't Fedora use a web of trust?) Or am I missing something?

Compare this e.g. with Debian - their current automatic ftp signing key 473041FA is signed by 7 developers.

Edit: Why does this stuff matter?

Having such an important key signed by real people (currently it is not signed by anyone!) established a certain level of confidence that it is the real key and not one created by an attacker just uploaded 5 minutes ago to the web-server. This level of confidence or trust requires that you can trace signing relations in a web of trust (to people you are already trusting). And the probability you are being able to do so is increasing when different people sign it (currently the probability is zero).

You can compare this trust thing with surfing to https://mybank.example.net and getting a certification verification warning - would you then still enter your transaction details or would you think 'wait a minute!', stop and investigate the issue?

maxschlepzig
  • 56,316
  • 50
  • 205
  • 279
  • what is it you are hoping to see? What is the added value you feel you will get from having more signatories? Not being awkward here, but just trying to understand what you need. – Rory Alsop Feb 21 '12 at 09:56
  • @RoryAlsop, updated the question to give some motivation. – maxschlepzig Feb 22 '12 at 08:13
  • SSL certificates are [far](http://www.schneier.com/blog/archives/2011/03/comodo_group_is.html) [from](http://www.schneier.com/blog/archives/2011/10/the_security_of_4.html) [perfect](http://www.schneier.com/blog/archives/2011/11/more_ssl_woes.html). (I'm sure there are other reports; these are just what I found with a very quick search-and-scan through my recent personal blog archives.) – user Feb 22 '12 at 13:00
  • 1
    @MichaelKjörling, nobody claims that SSL certificates (or current TLS revisions/implementations) are perfect. Please clarify how your comment is related to the issue described in the question. – maxschlepzig Feb 22 '12 at 19:25
  • 3
    Avid Fedora user, and I'm with you max. I wasn't shocked when I downloaded the key for [Tails](https://tails.boum.org) and it wasn't signed, but Fedora is put together by tons of competent and even many beardful individuals (many being RHT employees). Pretty odd. Probably better to ask this in one of the IRC chatrooms. Or at [fedoraforum](http://fedoraforum.org) or [askfedora](http://ask.fedoraproject.org). – rsaw Mar 04 '12 at 19:40

2 Answers2

3

Sometimes key holders do sign non-human keys "sig1" (for example repo keys).

from the man page;

1 means you believe the key is owned by the person who claims to own it but you could not, or did not verify the key at all. This is useful for a "persona" verification, where you sign the key of a pseudonymous user.

I believe this could add value as these signatures are not used to promote trust, they are only there for manual verification / re-assurance.

The problem with anyone signing a non-human / pseudonymous key is that we don't know who will be in control of the key in ... time. Most people won't want to sign for this reason.

Furthermore, at present it's relatively fast for Fedora to replace the key and publish a new fingerprint on their website, it would take a while for all those who have signed to revoke signatures.

What could possibly be more practical;

  • someone takes ownership of the key at fedora (non pseudonymous key)
  • a dedicated team close to the key at fedora sign/revoke the key.
  • the webpage with the current fingerprint is signed by someone in wot.

But... as has been said already, with or without signature, gpg fingerprints of the repo keys are installed when you install the OS... this validates all future updates. This adds a world of security.

mikejonesey
  • 1,950
  • 10
  • 17
2

I can't speak to the specific rationale of the Fedora developers, but unless you trust the signing keys it doesn't make a difference.

One ought not blindly trust an individual's key without having met face-to-face and exchanged keys or having received their signed key from a third party one trusts absolutely.

Being that the Fedora user community is relatively large compared to the Fedora developer community, wide distribution and rational trust of the signers is unlikely for the general public though it would add some value for the small number of people able to properly trust the signer(s).

In the case of SSL this secure key exchange has already taken place -- it is performed on your behalf by your browser or OS vendor. Common Certificate Authority root (and issuing) public keys come pre-populated in your SSL trust db. Much like SSL root certs, the signing keys for various OS repositories come with the distribution. Thus there is no basis to say that these SSL root certificates are more or less trustable than the GPG signing keys distributed with your OS.

GPG signing of packages still provides substantial benefit even without a signed key. You can be assured that your packages came from the same source, you can be sure if the signing key has changed any point since installing, etc. You can also look to other places the key might be published and check to see if it's different.

This has the net effect of giving you the ability to say "if I were rooted via a signed package, everyone else using Fedora is also rooted" whereas with unsigned packages a paranoid mind must always ask "what if someone is sitting between me and the mirror on the network and slipstreaming nefarious code into any *.{rpm,deb,txz}?".

marpa
  • 99
  • 4