I am installing Fedora 14 and I am wondering if
- the Fedora packages are cryptographically signed
- package signatures are checked by the installer by default
- package signatures are checked by yum when installing additional packages or doing upgrades
Asked
Active
Viewed 769 times
3
maxschlepzig
- 57,532
2 Answers
3
The packages are cryptographically signed, and the yum package installer does check those signatures when you add packages after the fact. The initial installer, however, does not check package signatures. This is a difficult problem, because: how to you verify that the cryptographic signatures you have on your install media are good when you don't, by definition, trust that install media?
See this Fedora bugzilla entry for history and details. This is the oldest bug still open in Red Hat's database, and it's so old that it's only three digits. (New bugs are now numbered well into the six hundred thousands.)
But, the entire install DVD is checksummed, and you can verify that that's good externally before starting your install against checksum files which are cryptographically signed. So, if you're very concerned (and in this day and age, it's good to be), do a non-network install after verifying the ISO you download against the GPG key from the official Fedora Project web site.
So to answer your three questions: yes, sort of, and yes.
mattdm
- 40,245
-
OMG ;) - with this information, Fedora network install is basically unusable. I agree, you have to get the initial installer from a trusted source, which is one thing. But in any case how complicated that might be (cheksum verifying, web of trust research), I don't see why the installer image of a release cannot include the default gpg keyring of the release team. I really cannot think of any reason. – maxschlepzig Nov 07 '10 at 17:59
-
What is truly amazing is that this bug was reported over 10 years ago. – Steven D Nov 07 '10 at 18:12
-
1Patches accepted. :) – mattdm Nov 07 '10 at 23:54
1
According to the Fedora Documenation:
All Fedora packages are signed with the Fedora GPG key. GPG stands for GNU Privacy Guard, or GnuPG, a free software package used for ensuring the authenticity of distributed files. For example, a private key (secret key) locks the package while the public key unlocks and verifies the package. If the public key distributed by Fedora does not match the private key during RPM verification, the package may have been altered and therefore cannot be trusted.
The RPM utility within Fedora automatically tries to verify the GPG signature of an RPM package before installing it. If the Fedora GPG key is not installed, install it from a secure, static location, such as an Fedora installation CD-ROM or DVD.
Further, according to the Yum Documentation:
Yum provides secure package management by enabling GPG (Gnu Privacy Guard; also known as GnuPG) signature verification on GPG-signed packages to be turned on for all package repositories (i.e. package sources), or for individual repositories. When signature verification is enabled, Yum will refuse to install any packages not GPG-signed with the correct key for that repository. This means that you can trust that the RPM packages you download and install on your system are from a trusted source, such as The Fedora Project, and were not modified during transfer.
On a freshly installed Fedora 14 system, the /etc/yum.conf includes
gpgcheck=1
Indicating that this feature of yum is enabled by default.
Thus it seems that the answers to (1) and (3) are "Yes". I believe the answer to (2) is more complicated.
Both the DVD and the Live CD have the ability to verify the entire disk. If you are concerned with the integrity of your install media, you can use this built-in functionality (see the documentation). If you are more concerned with security, you may want to verify the ISO before burning, using the method provided here:
https://fedoraproject.org/en/verify
(See this question for tips on how to get the checksum for already burnt CD.)
UPDATED: If you install using the Live CD, I believe that the live image is being copied directly to your disk, thus the packages aren't being installed by the package manager and their signatures aren't being checked. If you install using a Network Install or the full DVD, the GPG signatures still aren't checked. See mattdm's answer.
