User: Password:
Subscribe / Log in / New account

Way to have FedUp users

Way to have FedUp users

Posted Dec 21, 2012 0:12 UTC (Fri) by smcv (subscriber, #53363)
In reply to: Way to have FedUp users by smoogen
Parent article: Fedora and secure release upgrades

In Debian (and derivatives like Ubuntu), the chain of trust goes like this:

1. some prominent developers sign...
2. a "role" GPG key which signs...
3. a file containing cryptographic hashes of...
4. the installation media, which contain...
5. the (debian|ubuntu|...)-archive-keyring package, which contains...
6. a "role" GPG key which signs...
7. the Release file, containing cryptographic hashes of...
8. the Packages and Sources files, containing cryptographic hashes of...
9. each installable package

For a naive user who doesn't verify anything, skip directly to (4).

For upgrades, skip directly to (5) (assuming no key revocations have been required), because each release's -archive-keyring package contains the public key with which the project intends to sign the next release.

(Some prominent developers also sign (6), providing a shorter chain of trust to that.)

(Log in to post comments)

Way to have FedUp users

Posted Dec 21, 2012 17:16 UTC (Fri) by smoogen (subscriber, #97) [Link]

Ok thanks for that information on the Debian way of confirming the package chain.

How does a network installer confirm the web of trust? Is there a prompt for the user to go to XYZ website and upload a key and check to see that the key matches what the website says (or some kind of prompt.. )

How does someone behind a Great Firewall of XYZ nation know that they aren't getting MITM somehow and the packages aren't fake.

Way to have FedUp users

Posted Dec 21, 2012 17:28 UTC (Fri) by dlang (subscriber, #313) [Link]

the network installer has the key needed to validate the packages. the media the packages come from does not materially change things (it's just network vs disk)

if you are behind GREAT FIREWALL of X, you have no way of knowing if the install media you are using has been tampered with, you have no way of knowing if your attempts to validate the key are being tampered with, you could try and make a phone call to someone outside the firewall, or smuggle in media from outside and validate things that way

But once you have trusted install media (for whatever value of trust you want to go to), that install media will validate the packages.

The chain of trust is traceable to individual keys, not to CA entities, so the fact that the government is a CA entity doesn't change things.

Way to have FedUp users

Posted Dec 21, 2012 22:22 UTC (Fri) by pkern (subscriber, #32883) [Link]

You can verify the installation media by checking its hash against the list of hashes signed by the Debian CD release key, though. Now how you bootstrap that trust is obviously still an interesting exercise behind a great firewall with no friends outside.

Copyright © 2017, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds