The preferred way to check integrity and authenticity of packages is GPG. (Not sure which component to file this against, please reassign if appropriate)
{{{ 19:04 <lkundrak> what algorithm is used for checksum in the update mails? 19:04 <lmacken> sha1 19:06 <lkundrak> until very recently i thought it was md5, and I was going to ask you to remove it. But as it's not, could you please either add there a statement that it's a sha1 sum, and how to check it, or remove it? We sign the packages iwth gpg and it ensures both the integrity and authenticity 19:06 <lkundrak> i doubt anyone uses the checksum anyways 19:06 <lmacken> what would the "proper" way to check it be ? 19:06 <lmacken> especially if people just get the updates from yum 19:07 <lmacken> yum does that for us 19:07 <lkundrak> that's why I think the checksum is useless there :) 19:07 <lmacken> yeah, very true 19:07 <lmacken> I'm not sure how much value the filelist provides 19:08 <lkundrak> well, it is usable for people that don't use yum 19:08 <lmacken> yeah.. so what do you recommend I put in the template ? 19:08 <lkundrak> don't tell me there's none -- I don't for some cases :) 19:08 <lkundrak> I'd just remove the checksum 19:08 <lkundrak> and maybe tell people that the packages are signed 19:10 <lkundrak> The packages are signed with key Fedora Project Extras or Whatever (0xabcdef0123) 19:11 <lmacken> ok }}}
So, in short:
I think at the same time, it'd be good to have a page with the Fedora gpg key info (fingerprint, type, expiration, all that good stuff). This page could be referenced in the announcement mails so that anyone who wants to do a little more verification of the key can do so. This could be similar to http://www.redhat.com/security/team/key/
tmz: http://fedoraproject.org/wiki/Security/Keys I just created this. Please modify it to incorporate your ideas. Thanks!
Nice work Lubomir! I did a little editing. Hopefully I haven't introduced too many typos and errors in the process. I think mmcgrath mentioned in irc that such a page may be best to have outside of the wiki. So perhaps if we get the content in good shape, it can then be moved somewhere a little more secure than the wiki. Of course, that may mean that some work will need done to convert from the wiki formatting to html.
Just a note for myself: Once this is complete, Bug [https://bugzilla.redhat.com/show_bug.cgi?id=417201 #417201] can be resolved.
Red Hat is stopping using MD5 for thier advisories on Jan 1st 2008. It might be a good day to do the changes to bodhi also. I will polish the keys page a bit till then and ask Mike McGrath to move it out the wiki.
Bodhi /could/ display the GPG key for the corresponding package, but I'm not sure if that provides anyone any value. What do you guys think of something like:
{{{ All packages are signed with the Fedora Project GPG key. More details on the GPG keys used by the Fedora Project can be found at http://fedoraproject.org/wiki/Security/Keys }}}
Having this information on the wiki may not be the best idea. Should we lock the page down to only a certain group of users, or maybe move it to docs.fp.o ?
I ported the Security/Keys wiki page to genshi: [http://lmacken.fedorapeople.org/keys.html http://lmacken.fedorapeople.org/keys.html], and sent the patch to mmcgrath. This will eventually live at http://fedoraproject.org/keys.
Bodhi no longer generates checksums for update notices.
Log in to comment on this ticket.