List Info

Thread: Point yum repos to centos gpg key in /etc/pki/
Point yum repos to centos gpg key in /etc/pki/
country flaguser name
United States		 2008-02-25 11:45:17 
Hi, as a follow up to a conversation in #centos-devel, I'd
like to get  
input from the list on this issue.

The question is where to point people, and tools like yum,
for the  
centos gpg key used to verify rpm signatures.  My opinion is
that  
pointing to the key in /etc/pki/ which gets installed by the
centos- 
release makes the most sense.  This is already installed
locally on  
any centos (-5) machine.  See ie. http://bugs.c
entos.org/view.php?id=2419

 From a security standpoint, there are issues with either
choice.   
However, if your install media has been compromised, then
there would  
be many other ways to bypass the gpg checks rather than just
changing  
the gpg key from the centos-release package.  Pointing to a
URL for  
the gpg key opens up more security issues such as dns
poisoning.

-Jeff

_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
Re: Point yum repos to centos gpg key in /etc/pki/
country flaguser name
United States		 2008-02-25 12:34:32 
Jeff Sheltren wrote:
> Hi, as a follow up to a conversation in #centos-devel,
I'd like to get 
> input from the list on this issue.
> 
> The question is where to point people, and tools like
yum, for the 
> centos gpg key used to verify rpm signatures.  My
opinion is that 
> pointing to the key in /etc/pki/ which gets installed
by the 
> centos-release makes the most sense.  This is already
installed locally 
> on any centos (-5) machine.  See ie. 
> http://bugs.c
entos.org/view.php?id=2419
> 
>  From a security standpoint, there are issues with
either choice.  
> However, if your install media has been compromised,
then there would be 
> many other ways to bypass the gpg checks rather than
just changing the 
> gpg key from the centos-release package.  Pointing to a
URL for the gpg 
> key opens up more security issues such as dns
poisoning.
> 
> -Jeff

I think that for the CentOS-Media.repo file that using the
/etc/pki 
directory makes sense.

I STILL think pointing to the http://mirror.centos.org/ site is best for 
the web enabled CentOS-Base.repo file.


_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
Re: Point yum repos to centos gpg key in /etc/pki/
country flaguser name
Sweden		 2008-02-25 14:47:35 
On Monday 25 February 2008, Johnny Hughes wrote:
> Jeff Sheltren wrote:
...
> > Johnny, could you let us know your reasons for
wanting to point to the
> > remote GPG key?
>
> We DON'T allow downloads of ISOs from centos.org
servers due to
> bandwidth considerations.  It would be fairly easy to
put out an ISO
> that had different RPMS and a different key.
>
> Granted, people CAN check the md5 and sha1 sum of the
ISOs if they choose.
>
> Since we do control the content of every
mirror.centos.org server, we
> know that the key file is correct.  In order to make
that key AND the
> RPMS be bad, they need a doctored CD *AND* they need to
hijack our
> content by DNS poisoning or getting control of our
servers.
>
> I just think if you are using the internet anyway, why
not also get the
> key from a known location.

I agree that there's something intuitively right about that,
but, 
unfortunately it's wrong 

Here's why.

We have to assume that the install the user has is intact
and uncompromised. 
Why? Well, if it has been compromised in any way then not
only could it 
contain a malicious /etc/pki, it could of course have
different gpgkey= lines 
in the .repo files...

It will have to be up to the user to make sure (with our
help, signed .isos, 
installers that check rpm signatures and stage2 signature)
that he/she has an 
ok system. If they fail then they don't really run centos,
they run haxx0r os 
and any attempt to validate anything inside that will fail.

/Peter

_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
Re: Point yum repos to centos gpg key in /etc/pki/
country flaguser name
Sweden		 2008-02-25 12:30:50 
On Monday 25 February 2008, Jeff Sheltren wrote:
> Hi, as a follow up to a conversation in #centos-devel,
I'd like to get
> input from the list on this issue.
>
> The question is where to point people, and tools like
yum, for the
> centos gpg key used to verify rpm signatures.  My
opinion is that
> pointing to the key in /etc/pki/ which gets installed
by the centos-
> release makes the most sense.  This is already
installed locally on
> any centos (-5) machine.  See ie. http://bugs.c
entos.org/view.php?id=2419

I agree with using /etc/pki. The most important thing to
change are the 
gpgkey= lines in our .repo files.

>  From a security standpoint, there are issues with
either choice.

Something like this:
current way (www.centos.org) trusts: local machine, dns,
centos.org
/etc/pki trusts: local machine

/Peter

_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
Re: Point yum repos to centos gpg key in /etc/pki/
country flaguser name
United States		 2008-02-25 12:40:40 
On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:

> Jeff Sheltren wrote:
>> Hi, as a follow up to a conversation in
#centos-devel, I'd like to  
>> get input from the list on this issue.
>> The question is where to point people, and tools
like yum, for the  
>> centos gpg key used to verify rpm signatures.  My
opinion is that  
>> pointing to the key in /etc/pki/ which gets
installed by the centos- 
>> release makes the most sense.  This is already
installed locally on  
>> any centos (-5) machine.  See ie. http://bugs.c
entos.org/view.php?id=2419
>> From a security standpoint, there are issues with
either choice.   
>> However, if your install media has been
compromised, then there  
>> would be many other ways to bypass the gpg checks
rather than just  
>> changing the gpg key from the centos-release
package.  Pointing to  
>> a URL for the gpg key opens up more security issues
such as dns  
>> poisoning.
>> -Jeff
>
> I think that for the CentOS-Media.repo file that using
the /etc/pki  
> directory makes sense.
>
> I STILL think pointing to the http://mirror.centos.org/ site is best  
> for the web enabled CentOS-Base.repo file.

Johnny, could you let us know your reasons for wanting to
point to the  
remote GPG key?

Thanks,
Jeff

_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
Re: Re: Point yum repos to centos gpg key in /etc/pki/
country flaguser name
Sweden		 2008-02-25 14:50:11 
On Monday 25 February 2008, Scott Silva wrote:
> on 2/25/2008 10:40 AM Jeff Sheltren spake the
following:
> > On Feb 25, 2008, at 10:34 AM, Johnny Hughes
wrote:
...
> >> I STILL think pointing to the http://mirror.centos.org/ site is best
> >> for the web enabled CentOS-Base.repo file.
> >
> > Johnny, could you let us know your reasons for
wanting to point to the
> > remote GPG key?
>
> I would think if you could compromise the mirror dns
list, you could have
> malicious rpm's signed by a malicious key, and have
thousands of systems
> get rooted.

I'm not sure what you're saying, but if the above happened.
Then my 
unaffected /etc/pki key would refuse your maliciously signed
rpms.

And if my /etc/pki was bad then that was because my install
was bad and I'm 
f**ked anyway.

/Peter

_______________________________________________
CentOS-devel mailing list
CentOS-develcentos.org
http://lists.centos.org/mailman/listinfo/centos-devel
[1-6]

about | contact  Other archives ( Real Estate discussion Medical topics )