5

Many Linux distributions (e.g. Fedora) recommend using downloaded signing keys to verify the integrity of downloaded checksums. This seems utterly ridiculous to me, since the downloaded keys are just as suspect as the downloaded checksums. And checking key fingerprints is exactly the same thing, i.e. the page with the fingerprints is just another file downloaded by my browser.

If I trust the PKI of my browser (assuming HTTPS) to authenticate the key or key fingerprints, then I don't need the signing process in the first place. But of course I don't trust the PKI because the list of root certs distributed with major OS's is chocked full of very very dodgy CAs.

At minimum, shouldn't the keys of a new release be signed with the keys of the previous release? That way you can maintain a chain of integrity.

Given that the same process is used for GPG I assume I am being a moron and missing something obvious. Can anyone explain?

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
Money Luser
  • 53
  • 3
  • I usually search for the checksum on a few search engines and see if it shows up in a wide array of websites. If somebody can spoof the result of multiple unrelated websites in order to fool you about an iso checksum, you have bigger problems. – john doe Jul 29 '20 at 03:36
  • 1
    Does this answer your question? [Does hashing a file from an unsigned website give a false sense of security?](https://security.stackexchange.com/questions/1687/does-hashing-a-file-from-an-unsigned-website-give-a-false-sense-of-security) – At0mic Jul 30 '20 at 04:57
  • @At0mic the difference between the two questions is that this one isn't just talking about the checksums (which are not about security) but about the keys and signing, which is about security (and is touted as such on the linked page). – schroeder Jul 30 '20 at 08:56

1 Answers1

4

In short, the TLS PKI used in HTTPS and the packet signing with GPG aren't complementary layers of security in this context, but against totally different risk models.

  1. Getting the public key over a secure channel. You get the public key from a trusted source, in this example over HTTPS from https://getfedora.org/static/fedora.gpg, where getfedora.org is the official site of the distribution, and the connection is encrypted using PKI validated certificate.

    If in doubt, you could minimize the possibility of MitM by accessing the site from a trusted location (not e.g. over public WiFi) and by examining the certificate and the connection details manually. It's also possible to cross-check the details with some external diagnostic tools like SSL Shopper's SSL Checker, DigiCert's SSL Installation Diagnostics Tool or even Qualys' SSL Server Test. If the details match, it's unlike someone is intercepting your connection with a fake certificate signed by a trusted CA.

  2. Getting the packages over insecure channels. Signing the packages allows a wide distribution network, while the official distribution still has full control over the contents. This addresses two security problems:

    • The packages aren't typically downloaded directly from getfedora.org, but from multiple mirrors from all over the world. The mirrors aren't directly controlled by the Fedora project, and it's possible someone running a mirror could act maliciously or be compromised. (Of course, getfedora.org could be compromised, too, but having multiple mirrors multiplies the chances, and constantly monitoring them all would be impossible.)

    • Furthermore, some of the mirrors are used over plain HTTP (and sometimes FTP), which leaves possibility for MitM attacks.

Esa Jokinen
  • 16,100
  • 5
  • 50
  • 55
  • 1
    After a couple rereads I think the question is **not** asking about why we need a checksum to verify the download, but rather why we need a GPG key to verify the checksum; since the key and the checksum are downloaded from [the same source](https://getfedora.org/en/security/) over HTTPS. – NobodyNada Jul 29 '20 at 17:20
  • @NobodyNada: If you limit your focus to the installation medium checksums on the right side, but the `fedora.gpg` is actually a bundle for the *package signing keys* introduced later on the page. This answer focuses on the valid purpose of the page, but not on any misinterpretations of it. I think those few signed hashes are there because that's the file you download before the installation, and you could download it from multiple sources. After that, checking the checksums and their signatures is automated in the OS. – Esa Jokinen Jul 30 '20 at 09:41
  • @NobodyNada: exactly. If we trust the downloaded GPG key (because PKI) then we also trust the checksums downloaded the same way, so no need for GPG step. However, I am accepting Esa Jokinen's fine explanation as it includes the method to cross-check the PKI details, which pretty much closes the hole for me. – Money Luser Aug 06 '20 at 05:36