Re: More prominent link to verification hashes

[Chris Murphy]

On Mon, Mar 7, 2016 at 8:27 AM, Stephen John Smoogen  wrote:
> On 7 March 2016 at 01:32, Ralf Senderek  wrote:
>>> What would be proper other places to confirm the fingerprint?
>>
>> The following criteria might be reasonable:
>>  - a place that has authority, that people might trust.
>>  - a place that is hard to impersonate, that has some protection
>>against unauthorized use
>>  - a place that is visible to many people with a need to verify.
>>  - a place that is known for publishing cross-checked, reliable 
>> information
>>
>> Hope that helps to find such places.
>
> Not really. Everything above is subjective. In the past, when I have
> looked for sites that meet such criteria no one agrees that the place
> meets such criteria.
>
> We put it in redhat.com and people who hate corporations or that Red
> Hat sponsors this project assume that if Red Hat were paid enough
> money they would change the data any time.
>
> We put it in archive.org and people wonder how we can tell it isn't
> impersonated by some other site or that someone else isn't changing
> it.
>
> We put it in lwn.net and people wonder how they will know where to
> find it or why we didn't choose reddit/slashdot/etc/etc.
>
> We get google to host it and people wonder all of the above.


Get them all to host it. That oughta bypass any tomfoolery.


-- 
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

On Mon, 7 Mar 2016, Stephen John Smoogen wrote:


Hope that helps to find such places.


Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.

We put it in redhat.com and people who hate corporations or that Red
Hat sponsors this project assume that if Red Hat were paid enough
money they would change the data any time.

We put it in archive.org and people wonder how we can tell it isn't
impersonated by some other site or that someone else isn't changing
it.

We put it in lwn.net and people wonder how they will know where to
find it or why we didn't choose reddit/slashdot/etc/etc.

We get google to host it and people wonder all of the above.


Stephen,

please bear in mind that it's not a measure to make everyone happy,
publishing the fingerprint(s) is meant to prevent faking of the key. 
And this is much more than providing only self-signed keys without

linking them to first-hand knowledge about their authenticity.

You don't have to come up with a solution that suits everyone, as
long as it is enough to make faking a really hard job for anyone.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Stephen John Smoogen]

On 7 March 2016 at 01:32, Ralf Senderek  wrote:
>> What would be proper other places to confirm the fingerprint?
>
> The following criteria might be reasonable:
>  - a place that has authority, that people might trust.
>  - a place that is hard to impersonate, that has some protection
>against unauthorized use
>  - a place that is visible to many people with a need to verify.
>  - a place that is known for publishing cross-checked, reliable 
> information
>
> Hope that helps to find such places.

Not really. Everything above is subjective. In the past, when I have
looked for sites that meet such criteria no one agrees that the place
meets such criteria.

We put it in redhat.com and people who hate corporations or that Red
Hat sponsors this project assume that if Red Hat were paid enough
money they would change the data any time.

We put it in archive.org and people wonder how we can tell it isn't
impersonated by some other site or that someone else isn't changing
it.

We put it in lwn.net and people wonder how they will know where to
find it or why we didn't choose reddit/slashdot/etc/etc.

We get google to host it and people wonder all of the above.

-- 
Stephen J Smoogen.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Dennis Gilmore]

On Thursday, February 25, 2016 09:29:26 PM Ralf Senderek wrote:
> On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> > Which fingerprint? There is a number of keys
> > 
> > Dennis
> 
> The one you were referring to in your posting and which
> an ordinary user would verify with:
> 
> gpg --list-keys --fingerprint 81B46521
> 
>  Ralf
> 
> PS: if you had a long-term signing key it would be its fingerprint.

We have no long term signing key, no way to cross sign the keys, I was 
referring to them all in general, not just one in particular.

Dennis

signature.asc
Description: This is a digitally signed message part.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Corey Sheldon]

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA256

Somewhere like archive.org too maybe -- again  totally  separate
inrastructure +  it  could be  used as a un-official 'official'  hash
vault  for checking.

On 03/07/2016 08:27 AM, Matthew Miller wrote:
> On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote: >>> What would 
> be proper other places to confirm the fingerprint? >>
The following criteria might be reasonable: >>  - a place that has
authority, that people might trust. >>  - a place that is hard to
impersonate, that has some protection >>against unauthorized use
>>  - a place that is visible to many people with a need to verify.
>>  - a place that is known for publishing cross-checked, reliable
information > > We could possibly add it somewhere on a Red Hat site,
which I think > would fit all of these criteria in many people's eyes.
Since it's > entirely separate infrastructure from Fedora's websites,
that would > significantly raise the bar for any targetted website
hacking. >

-BEGIN PGP SIGNATURE-
Version: GnuPG v2

iQIcBAEBCAAGBQJW3YRJAAoJEHeOgyS7CC5mMTkP/A7LqGO4H6KH/EQ3i/j2LG9M
rDFZ0l6tfgG3bVebKI/kxrF4nV3EIDS7n77Fo79dX24xhHIQlabhzgDz6p2slhqu
1gjG0DExIYLgyyGvfWHFj253vq1fkYZMKftftLPQZxD4krnYAUtwpGaPkEN0q/gM
swumcurdgcjlKUwHc195mcSMbE+2tNDJJ49hU44uYpKWtESajWXZ+n3EOvDsj+lj
2W3gdHpqrPJZbgTPtU8FWgmYQNq3ExDWp6Iayz2S2emeSoimjLJYCtrpPSXLRJBw
WC0TZFbZs8cZ0lJy+QJQmpm0n4M0SYRxB2rAN2R3tQ3Ro/KRC0QcEP1Yvwq0QUCK
IXiSp0QI3PftKl2SEbSdTKJW8dN0lM+Hd8ZT6EyqGWVHvlKnnaKbHCVJXzi3Acqc
UngJtGcmEMubbW02Zkpd1Odk008kUDl4AeD9wuCtwKls+fkrKjJPktIiAL7EJcLL
cSf/yYxHjw4GnSfPFkGVHEBmSZm6O3gpRh7jjdzECcBb1WQtLZ8l7iV3EJu16FWu
B4TPyV8PxAbzwehR2ZsZIXH5vB/VMLihh+gzt28cenOc/gvgC/eYsd5kmEuRsL52
jDRnGSP27my8PJ/kzcvn5ldi30NtGigpll0Ff8isl0kjg66oJaax5ouJlHQpTmjQ
D4HmOiouIBG/F91Izwfi
=6G93
-END PGP SIGNATURE-
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Matthew Miller]

On Mon, Mar 07, 2016 at 08:32:05AM -, Ralf Senderek wrote:
> > What would be proper other places to confirm the fingerprint?
> The following criteria might be reasonable: 
>  - a place that has authority, that people might trust.
>  - a place that is hard to impersonate, that has some protection
>against unauthorized use
>  - a place that is visible to many people with a need to verify.
>  - a place that is known for publishing cross-checked, reliable 
> information

We could possibly add it somewhere on a Red Hat site, which I think
would fit all of these criteria in many people's eyes. Since it's
entirely separate infrastructure from Fedora's websites, that would
significantly raise the bar for any targetted website hacking.

-- 
Matthew Miller

Fedora Project Leader
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

> What would be proper other places to confirm the fingerprint?

The following criteria might be reasonable: 
 - a place that has authority, that people might trust.
 - a place that is hard to impersonate, that has some protection
   against unauthorized use
 - a place that is visible to many people with a need to verify.
 - a place that is known for publishing cross-checked, reliable information

Hope that helps to find such places.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Thu, Feb 25, 2016 at 09:29:26PM +0100, Ralf Senderek wrote:

> PS: if you had a long-term signing key it would be its fingerprint.

How would an ordinary user use a long-term singing key?

Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Thu, Feb 25, 2016 at 08:05:59PM +0100, Ralf Senderek wrote:
> Thank you for providing this valuable information about the handling
> of the private key that enables Fedora ISO signing. This information
> should be shared and highlighted as it is helping to create trust in
> the use of this key.

Where should this information be provided?

> As a personal request, would you be so kind as to confirm the fingerprint
> here (and maybe somewhere else), please. Thank you very much.

What would be proper other places to confirm the fingerprint?

Regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

On Thu, 25 Feb 2016, Dennis Gilmore wrote:

Which fingerprint? There is a number of keys

Dennis


The one you were referring to in your posting and which
an ordinary user would verify with:

gpg --list-keys --fingerprint 81B46521

Ralf

PS: if you had a long-term signing key it would be its fingerprint.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Dennis Gilmore]

On Thursday, February 25, 2016 08:05:59 PM Ralf Senderek wrote:
> On Thu, 25 Feb 2016, Dennis Gilmore wrote:
> >  No one has access to the private key. It lives on a server that has no
> >  services running that listen for connections. There is a service that
> >  runs
> >  on
> >  it that talks to the signing bridge. That brokers all requests. Users
> >  with
> >  access do not know the password to unlock the key. The signing server
> >  manages
> >  access. There is exactly two copies of the private key, one embeded in
> >  encrypted storage on the signing server and a backup of the encrypted
> >  storage
> >  on the backup server. It has been designed to allow the granting and
> >  revocation of access without the need for having a copy of the private
> >  key.
> >  
> >  https://fedorahosted.org/sigul/ is the software we use
> >  
> >  Dennis
> 
> Thank you for providing this valuable information about the handling
> of the private key that enables Fedora ISO signing. This information
> should be shared and highlighted as it is helping to create trust in
> the use of this key.
> As a personal request, would you be so kind as to confirm the fingerprint
> here (and maybe somewhere else), please. Thank you very much.

Which fingerprint? There is a number of keys

Dennis

signature.asc
Description: This is a digitally signed message part.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

On Thu, 25 Feb 2016, Dennis Gilmore wrote:


 No one has access to the private key. It lives on a server that has no
 services running that listen for connections. There is a service that runs
 on
 it that talks to the signing bridge. That brokers all requests. Users with
 access do not know the password to unlock the key. The signing server
 manages
 access. There is exactly two copies of the private key, one embeded in
 encrypted storage on the signing server and a backup of the encrypted
 storage
 on the backup server. It has been designed to allow the granting and
 revocation of access without the need for having a copy of the private key.

 https://fedorahosted.org/sigul/ is the software we use

 Dennis


Thank you for providing this valuable information about the handling
of the private key that enables Fedora ISO signing. This information
should be shared and highlighted as it is helping to create trust in
the use of this key.
As a personal request, would you be so kind as to confirm the fingerprint
here (and maybe somewhere else), please. Thank you very much.


  Ralf
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Dennis Gilmore]

On Tuesday, February 23, 2016 10:18:49 PM Ralf Senderek wrote:
> On Tue, 23 Feb 2016, Till Maas wrote:
> > I used my access to the signing server to verify the key before signing
> > it. But why is confirming the fingerprint here a step forward? Why would
> > someone search in this mailing list for the fingerprint of the gpg key?
> > 
> > FWIW, the signing server just gave me a public key with this fingerprint
> > when I asked for the Fedora 24 signing key:
> > pub  4096R/81B46521 2015-07-25 Fedora (24)
> > > 
> >  Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521
> 
> This is the important part, you state that you have access to the server
> that uses the private key for 4096R/81B46521. You may have first-hand
> knowledge how the persons using this key protect this private key and you
> have even knowledge of these person's trustworthiness and professionalism.
> 
> That and only that constitutes the value of your signature as opposed to
> mine if I had signed the key.

No one has access to the private key. It lives on a server that has no 
services running that listen for connections. There is a service that runs on 
it that talks to the signing bridge. That brokers all requests. Users with 
access do not know the password to unlock the key. The signing server manages 
access. There is exactly two copies of the private key, one embeded in 
encrypted storage on the signing server and a backup of the encrypted storage 
on the backup server. It has been designed to allow the granting and 
revocation of access without the need for having a copy of the private key.

https://fedorahosted.org/sigul/ is the software we use

Dennis

signature.asc
Description: This is a digitally signed message part.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

On Tue, 23 Feb 2016, Till Maas wrote:


I used my access to the signing server to verify the key before signing
it. But why is confirming the fingerprint here a step forward? Why would
someone search in this mailing list for the fingerprint of the gpg key?

FWIW, the signing server just gave me a public key with this fingerprint
when I asked for the Fedora 24 signing key:
pub  4096R/81B46521 2015-07-25 Fedora (24) 
 Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521


This is the important part, you state that you have access to the server 
that uses the private key for 4096R/81B46521. You may have first-hand 
knowledge how the persons using this key protect this private key and you

have even knowledge of these person's trustworthiness and professionalism.

That and only that constitutes the value of your signature as opposed to 
mine if I had signed the key.

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Tue, Feb 23, 2016 at 08:13:59PM +0100, Ralf Senderek wrote:
> 
> On Tue, 23 Feb 2016, Till Maas wrote:
> 
> > You can already get the keys at various places:
> >
> > - Fedora website
> > - physical DVDs
> > - fedora-repos git repository
> > - fedora-repos RPM on kojipkgs
> > - fedora-repos RPM Fedora mirrors
> > - Fedora ISO images on Fedora mirrors
> > - Eventually DNSSEC protected from DNS
> 
> I was very clear in saying fingerprint not keys. The original key file from
> the website contains only self-signed keys. The only way to know if these
> are valid is to check the fingerprint.

It is not the only way. You can also compare the keys from all these
locations directly. Or calculate the fingerprint from the keys at all
these locations and compare them.

> > Also all recent Fedora keys were signed by me. So how many different
> > places do we need to make it secure? I am also very interested in making
> > this secure, but adding more random places to look does not help unless
> > people a actually looking there.
> 
> Printing the fingerprint in prominent places makes faking the key
> nearly impossible, even if the ordinary user doesn't look there.

If the user does not look at the places, then it does not help. But what
are the exact places that you propose to post the fingerprint?

> > And since you did not notice that I
> > signed the GPG keys, I guess you did not look much as well.
> 
> You didn't sign it in the download file from the verify page.

You can get the signature from a keyserver. Just wondering, how would
you check the signature if it was included in the key download file that
it would be hard to download the signature instead with --refresh-keys
in gpg - the latter also gives you all signatures that everyone added to
the key.

> Signing a key only helps if it is an assurance that the signer has checked
> the fingerprint. I could have signed the keys as well, but I didn't
> because I don't know anything about the fingerprint from first-hand.

How will you decide whether someone checked the fingerprint? How should
a unexperienced user decide whether to trust a certain key?

> If you have a valid means of checking the fingerprint with the creator
> of the key and publicly confirm the fingerprint on the mailing list,
> this would be a step forward.

I used my access to the signing server to verify the key before signing
it. But why is confirming the fingerprint here a step forward? Why would
someone search in this mailing list for the fingerprint of the gpg key?

FWIW, the signing server just gave me a public key with this fingerprint
when I asked for the Fedora 24 signing key:
pub  4096R/81B46521 2015-07-25 Fedora (24) 
  Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521

> > Btw before suggesting what to provide, maybe think of the instructions
> > for users that would explain how to verify the keys
> 
> They are already asking the user on the verify page to run a gpg command,
> displaying the fingerprint is as easy as that.

This is not a specific instruction. Please provide an example of the
specific instructions that you would like to add.


signature.asc
Description: PGP signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Stephen John Smoogen]

On 23 February 2016 at 12:13, Ralf Senderek  wrote:
>
> On Tue, 23 Feb 2016, Till Maas wrote:
>
>>  You can already get the keys at various places:
>>
>>  - Fedora website
>>  - physical DVDs
>>  - fedora-repos git repository
>>  - fedora-repos RPM on kojipkgs
>>  - fedora-repos RPM Fedora mirrors
>>  - Fedora ISO images on Fedora mirrors
>>  - Eventually DNSSEC protected from DNS
>
>
> I was very clear in saying fingerprint not keys. The original key file from
> the website contains only self-signed keys. The only way to know if these
> are valid is to check the fingerprint.
>
>
>>  Also all recent Fedora keys were signed by me. So how many different
>>  places do we need to make it secure? I am also very interested in making
>>  this secure, but adding more random places to look does not help unless
>>  people a actually looking there.
>
>
> Printing the fingerprint in prominent places makes faking the key
> nearly impossible, even if the ordinary user doesn't look there.
>

"prominent places" is the part that needs work here. This isn't the
1990's when setting up a website was hard and mailing out a physical
copy of the fingerprint was cheaper. I could set up a dozen websites
all claiming to have the "fingerprint" for near zero cost. How is
anyone going to know that is the valid one or not?


>>  And since you did not notice that I
>>  signed the GPG keys, I guess you did not look much as well.
>
>
> You didn't sign it in the download file from the verify page.
> Signing a key only helps if it is an assurance that the signer has checked
> the fingerprint. I could have signed the keys as well, but I didn't
> because I don't know anything about the fingerprint from first-hand.
>
> If you have a valid means of checking the fingerprint with the creator
> of the key and publicly confirm the fingerprint on the mailing list,
> this would be a step forward.
>

If you have a definition of what valid means are... then that might be
possible. However  I have spent way too many meetings and
conversations trying to come up with "enough" assurance and finding
that every way gets "we don't believe that is valid because this is
the 30 ways it could have been circumvented."



>
>>  Btw before suggesting what to provide, maybe think of the instructions
>>  for users that would explain how to verify the keys
>
>
> They are already asking the user on the verify page to run a gpg command,
> displaying the fingerprint is as easy as that.
>
> If you think you can improve things by signing keys, then take Gregory's
> advice and create a long-term signing key and add it's signature to new
> fedora release keys. AND print the fingerprint of this one key in
> many prominent places.
>
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org



-- 
Stephen J Smoogen.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

On Tue, 23 Feb 2016, Till Maas wrote:


 You can already get the keys at various places:

 - Fedora website
 - physical DVDs
 - fedora-repos git repository
 - fedora-repos RPM on kojipkgs
 - fedora-repos RPM Fedora mirrors
 - Fedora ISO images on Fedora mirrors
 - Eventually DNSSEC protected from DNS


I was very clear in saying fingerprint not keys. The original key file from the 
website contains only self-signed keys. The only way to know if these are valid 
is to check the fingerprint.




 Also all recent Fedora keys were signed by me. So how many different
 places do we need to make it secure? I am also very interested in making
 this secure, but adding more random places to look does not help unless
 people a actually looking there.


Printing the fingerprint in prominent places makes faking the key
nearly impossible, even if the ordinary user doesn't look there.


 And since you did not notice that I
 signed the GPG keys, I guess you did not look much as well.


You didn't sign it in the download file from the verify page.
Signing a key only helps if it is an assurance that the signer has checked
the fingerprint. I could have signed the keys as well, but I didn't
because I don't know anything about the fingerprint from first-hand.

If you have a valid means of checking the fingerprint with the creator
of the key and publicly confirm the fingerprint on the mailing list,
this would be a step forward.



 Btw before suggesting what to provide, maybe think of the instructions
 for users that would explain how to verify the keys


They are already asking the user on the verify page to run a gpg command,
displaying the fingerprint is as easy as that.

If you think you can improve things by signing keys, then take Gregory's
advice and create a long-term signing key and add it's signature to new
fedora release keys. AND print the fingerprint of this one key in
many prominent places.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Mon, Feb 22, 2016 at 07:22:24PM -, Ralf Senderek wrote:

> Yes, for people who look only in one place, the manipulated web server.
> But that is the reason why the fingerprint has to pop up in different places
> where it is hard to fake. Even if this one user can be tricked, others can
> discover that the site is compromised if the fingerprint is independently 
> recorded
> many times elsewhere.

You can already get the keys at various places:

- Fedora website
- physical DVDs
- fedora-repos git repository
- fedora-repos RPM on kojipkgs
- fedora-repos RPM Fedora mirrors
- Fedora ISO images on Fedora mirrors
- Eventually DNSSEC protected from DNS

Also all recent Fedora keys were signed by me. So how many different
places do we need to make it secure? I am also very interested in making
this secure, but adding more random places to look does not help unless
people a actually looking there. And since you did not notice that I
signed the GPG keys, I guess you did not look much as well. Why would
unexperienced users spend so much time into verification? IMHO Fedora is
already doing a great job by providing HTTPS secured key downloads and
signing all stable releases.

Btw before suggesting what to provide, maybe think of the instructions
for users that would explain how to verify the keys and downloads. Then
we can also discuss whether or not this would really make sense for
unexperienced users.

Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Tue, 23 Feb 2016 18:01:29 +0100
Till Maas  wrote:

> On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote:
> > On Mon, 22 Feb 2016 19:45:03 +
> > Gregory Maxwell  wrote:  
> 
> > > I don't think there is any utility in pointing people to a
> > > keyserver here.  
> > 
> > I think it would allow them to check signatures against their web of
> > trust.   
> 
> Since one needs to load the gpg key into the gpg keyring anyhow, one
> can just use refresh the key from the keyserver to get the signatures
> from other keys. Since one cannot trust the direct link to a
> keyserver, linking to a keyserver actually weakens the security IMHO.

To be clear, I wasn't suggesting a direct link to a specific keyserver,
but more a statement like "Search for key blah with fingerprint foo and
name bar on public gpg servers"

That said, yeah, just refreshing locally to get signatures seems much
more sane. 

kevin


pgp0VrMn4yufl.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:

> They key itself should come with signatures. That it doesn't is weird
> and inconvenient. If it came with a single signature by a long lived
> key used for the purpose of authenticating keys, it would go a log
> way.

The gpg tool itself is very inconvenient, but getting the signatures for
a key imported to the keyring is not, just run --refresh-keys.

Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Till Maas]

On Tue, Feb 23, 2016 at 06:23:13AM -0700, Kevin Fenzi wrote:
> On Mon, 22 Feb 2016 19:45:03 +
> Gregory Maxwell  wrote:

> > I don't think there is any utility in pointing people to a keyserver
> > here.
> 
> I think it would allow them to check signatures against their web of
> trust. 

Since one needs to load the gpg key into the gpg keyring anyhow, one can
just use refresh the key from the keyserver to get the signatures from
other keys. Since one cannot trust the direct link to a keyserver,
linking to a keyserver actually weakens the security IMHO.

Kind regards
Till
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Mon, 22 Feb 2016 19:45:03 +
Gregory Maxwell  wrote:

> New users are stateless and little can be done there; at least not
> right now when pre-textual security procedures' like Fedora's are
> ubiquitous and thus can't be taken as a clear sign of compromise.

Right.

> Existing users are another matter; "Hey, wasn't the last fedora key
> signed by the fedora-keys-key that I already have?? Something smells
> fishy here".   Doubly so if fedora included a fedora-downloader that
> users use to get new images which automatically checked these things.

Perhaps, but they might also just say "oh, download process has
changed, oh well". 

Having an automated downloader that checks things would be nice, but
then of course you need to ensure the security of the downloader and
that it's not just been tampered with. 

> > Pointing people to the sks keyservers to download the key would be
> > nice  
> 
> I don't think there is any utility in pointing people to a keyserver
> here.

I think it would allow them to check signatures against their web of
trust. 

> It's useful if that even worked for the few who would do it-- so that
> in untargeted replacement they could sound alarms. But I wasn't even
> suggesting something so broad as WOT: I'm only suggesting that Fedora
> should commit to signing every release key with a long lived, offline
> stored, key-- or, alternatively, with prior releases release keys.  So
> that people who somehow managed to get a faithful fedora keyring at
> some point aren't exposed to compromise over and over again in the
> future.

We don't have the ability to do this. Sigul doesn't support signatures. 

> > If the site is compromised how would any of that help?  
> 
> The compromised site could not sign their replacement keys-- they'd
> have to just alter or drop the procedure that provides actual
> security, and this disruption would catch the attention of some users.
> (and better, if an automated mechanism is provided and gains wide
> usage.)

Perhaps. Thats the window the attackers would have I suppose.

Open source projects have a advantage here in that they are
transparent. If someone notices something that seems odd they can
easily ask about it and raise the flag. 

> > This is already done somewhat... the fedora-repos package has all
> > the keys in it from the time it was last updated.  
> 
> That's good. The last I had seen it didn't include key for future
> releases.  If they're there now the instructions could simply tell the
> user to skip the key download if they're already on an updated fedora
> install.

Yep. 

kevin



pgpTd23H6djrf.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Tue, 23 Feb 2016 04:12:41 +
Zbigniew Jędrzejewski-Szmek  wrote:

> On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:
> > On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi 
> > wrote:  
> > > My point was that you can get the signatures off the key from the
> > > keyserver and see if any of them are someone you trust. If not,
> > > are they connected to someone you trust (hey, look, web of
> > > trust). I think expanding the web of trust on the signatories of
> > > the keys would help more than just trying to distribute the key
> > > fingerprint "lots of places".  
> > 
> > They key itself should come with signatures. That it doesn't is
> > weird and inconvenient. If it came with a single signature by a
> > long lived key used for the purpose of authenticating keys, it
> > would go a log way.  

Well, as mentioned somewhere else in this thread, sigul (our signing
server) doesn't deal with signatures at all. So, we would have to pull
those signatures from keyservers or sign it internally with only some
small amount of keys or something. 

> Some older Fedora signing keys were signed by prominent Fedora persons
> (up to F12 or so). If one has been to at least one Fedora key signing
> party and has a WOT connection to one of thos persons, using the WOT
> is the best ways to verify the keys one downloads from the web. It
> would be great if we could resurrect this practice and have one or
> more RelEng members and the Fedora Project Leader sign the Fedora PGP
> keys and upload their signatures to public keyservers.

Sure, I don't have any objection to this... 

kevin


pgpDg6NYNwALl.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ryan S. Brown]

On 02/22/2016 05:34 PM, Stephen John Smoogen wrote:

On 22 February 2016 at 13:00, Ralf Senderek  wrote:



The Fedora team could get a profile and verify the key(s) through
github, the Fedora and Red Hat web sites, the Fedora magazine twitter
account, and by having the Fedora team all sign publicly.


Every little helps. The important step would be if the Fedora devs state the
fingerprints in a visible way that risks their good reputation if the 
information
turned out to be incorrect. These statements would then be the foundation of
trust in what the Fedora 24 key signs.



OK and how many people check to see what another person's reputation
is? And how many people have had gotten bad reputations from signing
bad things? It all sounds great on paper, but without actual methods
and regular checks.. it is as useless as a keysigning party where no
one does a full check of the passport and driver's license with the
issueing authority. [We all do the $200.00 background check on
everyone we sign don't we?]


I don't, but I think there's benefit in using keybase.io and having any 
Fedora contributors verify that, because:


1. Keybase is easy to check - pop open the web page and it's all there
2. Hosted outside Fedora infrastructure, so 2 points of compromise would 
have to happen



Also, keep in mind that the checks on keybase aren't necessarily "you 
are Ryan Scott Brown, as identified by driver's license," but rather 
that I am the @ryan_sb on twitter, and ryansb on github, and owner of 
rsb.io. For most "people on the internet" the second set of parameters 
is what people actually know me as, so that's more useful for the looser 
verification of "someone I think would notice if Fedora switched their 
GPG key"


Also, tying the GPG key to the various Fedora project social accounts 
would help since, again, that's another point of compromise that would 
need to happen to switch up our .iso's.


Literally nothing we can ever do will be bulletproof[1], but doing 
anything better than putting the GPG keys on the same site as the ISOs 
isn't futile.



1: https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf


Combined with having the key on getfedora.org, it at least provides a
measure of protection against our site being compromised. It also has
the benefit of, if someone knows of any Fedora devs on Twitter or
another service, they can follow the web of social-service trust. This
isn't as good as if they had a direct path to the Fedora WoT through
normal signatures, but it's much more likely to actually occur.


Yes all of this, please.


--
Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Jens Lody]

Am Mon, 22 Feb 2016 09:29:37 -0700
schrieb Kevin Fenzi :

> On Sun, 21 Feb 2016 23:21:58 +0100
> Jens Lody  wrote:
> 
> > This can also be done before clicking the link-button, or the
> > download splash is also shown without javascript. This should not
> > be too hard to implement.  
> 
> https://fedorahosted.org/fedora-websites awaits your ticket. 
> 
> Bonus points for proposed patch also. ;) 
> 
> kevin

I just filed a ticket with a possible (quick) patch:

https://fedorahosted.org/fedora-websites/ticket/377

Jens


pgp4Yd0WhG6VM.pgp
Description: Digitale Signatur von OpenPGP
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Zbigniew Jędrzejewski-Szmek]

On Mon, Feb 22, 2016 at 07:47:51PM +, Gregory Maxwell wrote:
> On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi  wrote:
> > My point was that you can get the signatures off the key from the
> > keyserver and see if any of them are someone you trust. If not, are
> > they connected to someone you trust (hey, look, web of trust). I think
> > expanding the web of trust on the signatories of the keys would help
> > more than just trying to distribute the key fingerprint "lots of
> > places".
> 
> They key itself should come with signatures. That it doesn't is weird
> and inconvenient. If it came with a single signature by a long lived
> key used for the purpose of authenticating keys, it would go a log
> way.

Some older Fedora signing keys were signed by prominent Fedora persons
(up to F12 or so). If one has been to at least one Fedora key signing
party and has a WOT connection to one of thos persons, using the WOT
is the best ways to verify the keys one downloads from the web. It
would be great if we could resurrect this practice and have one or
more RelEng members and the Fedora Project Leader sign the Fedora PGP
keys and upload their signatures to public keyservers.

Signature chaining (F24 key signed by F23, etc..) would also be helpful.

Zbyszek
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Joshua J Cogliati]

For what it is worth, not signing the key is bug 1043276:
https://bugzilla.redhat.com/show_bug.cgi?id=1043276

> Date: Mon, 22 Feb 2016 19:47:51 +
> From: Gregory Maxwell <gmaxw...@gmail.com>
> Subject: Re: More prominent link to verification hashes
> To: Development discussions related to Fedora
>   <devel@lists.fedoraproject.org>
> Message-ID:
>   

Re: More prominent link to verification hashes

[Stephen John Smoogen]

On 22 February 2016 at 13:00, Ralf Senderek  wrote:
>
>> The Fedora team could get a profile and verify the key(s) through
>> github, the Fedora and Red Hat web sites, the Fedora magazine twitter
>> account, and by having the Fedora team all sign publicly.
>
> Every little helps. The important step would be if the Fedora devs state the
> fingerprints in a visible way that risks their good reputation if the 
> information
> turned out to be incorrect. These statements would then be the foundation of
> trust in what the Fedora 24 key signs.
>

OK and how many people check to see what another person's reputation
is? And how many people have had gotten bad reputations from signing
bad things? It all sounds great on paper, but without actual methods
and regular checks.. it is as useless as a keysigning party where no
one does a full check of the passport and driver's license with the
issueing authority. [We all do the $200.00 background check on
everyone we sign don't we?]


>> Combined with having the key on getfedora.org, it at least provides a
>> measure of protection against our site being compromised. It also has
>> the benefit of, if someone knows of any Fedora devs on Twitter or
>> another service, they can follow the web of social-service trust. This
>> isn't as good as if they had a direct path to the Fedora WoT through
>> normal signatures, but it's much more likely to actually occur.
>
> Yes all of this, please.
> --
> devel mailing list
> devel@lists.fedoraproject.org
> http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org



-- 
Stephen J Smoogen.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

> The Fedora team could get a profile and verify the key(s) through 
> github, the Fedora and Red Hat web sites, the Fedora magazine twitter 
> account, and by having the Fedora team all sign publicly.

Every little helps. The important step would be if the Fedora devs state the
fingerprints in a visible way that risks their good reputation if the 
information
turned out to be incorrect. These statements would then be the foundation of
trust in what the Fedora 24 key signs.
 
> Combined with having the key on getfedora.org, it at least provides a 
> measure of protection against our site being compromised. It also has 
> the benefit of, if someone knows of any Fedora devs on Twitter or 
> another service, they can follow the web of social-service trust. This 
> isn't as good as if they had a direct path to the Fedora WoT through 
> normal signatures, but it's much more likely to actually occur.

Yes all of this, please.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Gregory Maxwell]

On Mon, Feb 22, 2016 at 7:42 PM, Kevin Fenzi  wrote:
> My point was that you can get the signatures off the key from the
> keyserver and see if any of them are someone you trust. If not, are
> they connected to someone you trust (hey, look, web of trust). I think
> expanding the web of trust on the signatories of the keys would help
> more than just trying to distribute the key fingerprint "lots of
> places".

They key itself should come with signatures. That it doesn't is weird
and inconvenient. If it came with a single signature by a long lived
key used for the purpose of authenticating keys, it would go a log
way.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Gregory Maxwell]

On Mon, Feb 22, 2016 at 6:35 PM, Kevin Fenzi  wrote:
> Well, I agree the instructions could do better, but how would that help
> if the site was compromised? The attackers would write their own
> instructions.
>
> In addition to the verify link, the https://getfedora.org/en/keys/faq/
> needs a good going over.

New users are stateless and little can be done there; at least not
right now when pre-textual security procedures' like Fedora's are
ubiquitous and thus can't be taken as a clear sign of compromise.

Existing users are another matter; "Hey, wasn't the last fedora key
signed by the fedora-keys-key that I already have?? Something smells
fishy here".   Doubly so if fedora included a fedora-downloader that
users use to get new images which automatically checked these things.

> Pointing people to the sks keyservers to download the key would be nice

I don't think there is any utility in pointing people to a keyserver here.

> and asking them to check the signatures for a web of trust link would
> be great, but I am not sure how many people would care to do that or
> have any links there.

It's useful if that even worked for the few who would do it-- so that
in untargeted replacement they could sound alarms. But I wasn't even
suggesting something so broad as WOT: I'm only suggesting that Fedora
should commit to signing every release key with a long lived, offline
stored, key-- or, alternatively, with prior releases release keys.  So
that people who somehow managed to get a faithful fedora keyring at
some point aren't exposed to compromise over and over again in the
future.

> If the site is compromised how would any of that help?

The compromised site could not sign their replacement keys-- they'd
have to just alter or drop the procedure that provides actual
security, and this disruption would catch the attention of some users.
(and better, if an automated mechanism is provided and gains wide
usage.)

> This is already done somewhat... the fedora-repos package has all the
> keys in it from the time it was last updated.

That's good. The last I had seen it didn't include key for future
releases.  If they're there now the instructions could simply tell the
user to skip the key download if they're already on an updated fedora
install.

The limitation there is that this need to have virtually no false
positives, and so the lack of updates to that package as versions go
EOL would still be problematic. "Oh, it didn't work. I guess I'll
blindly pull the keys from the site" would undo the security.

> So, if you have a fedora
> install you can check the key in fedora-repos. However, that still
> doesn't get around the fact that the anchor of trust here is the ca
> certificate system, or I suppose, best case it would be a web of trust
> link back to the gpg key, but the web of trust is not that expansive
> and random users who don't care about gpg likely wouldn't have any
> links into the Fedora web of trust.

"Trust anchor" is too narrow a concept-- If the user has to only
successfully get the real keys once and then will be protected after
if they're successful, that is win in and of itself. It also means
that more effort can be rationally expended on those few times
initialization (e.g. trying the WOT method, checking multiple sources,
etc.).
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Mon, 22 Feb 2016 19:22:24 -
"Ralf Senderek"  wrote:

> > If the site is compromised, most bets are off sadly.   
> 
> Yes, for people who look only in one place, the manipulated web
> server. But that is the reason why the fingerprint has to pop up in
> different places where it is hard to fake. Even if this one user can
> be tricked, others can discover that the site is compromised if the
> fingerprint is independently recorded many times elsewhere.

But how would anyone even know to look there? 
Or if someone told you: "you should check for this key fingerprint on
10 sites before you trust it", an intruder could just spin up 10 random
sites that mention their compromised key. 

I see what you are getting at, but it would only help people heavily
involved in the project any. 

> BTW, pointing to a key server is not the way to convince anyone. A
> key server is a convenient way to get keys, not a tool to assure
> their authenticity. So I don't think that there is much of an
> alternative other than someone stepping in and provide some
> first-hand knowledge about the key. --

My point was that you can get the signatures off the key from the
keyserver and see if any of them are someone you trust. If not, are
they connected to someone you trust (hey, look, web of trust). I think
expanding the web of trust on the signatories of the keys would help
more than just trying to distribute the key fingerprint "lots of
places".

kevin



pgplXMUYBTWV9.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ryan S. Brown]

On 02/22/2016 02:22 PM, Ralf Senderek wrote:



If the site is compromised, most bets are off sadly.


Yes, for people who look only in one place, the manipulated web server.
But that is the reason why the fingerprint has to pop up in different places
where it is hard to fake. Even if this one user can be tricked, others can
discover that the site is compromised if the fingerprint is independently 
recorded
many times elsewhere.

BTW, pointing to a key server is not the way to convince anyone. A key server
is a convenient way to get keys, not a tool to assure their authenticity.
So I don't think that there is much of an alternative other than someone 
stepping in
and provide some first-hand knowledge about the key.


Could an external service such as keybase.io be helpful here? It's not a 
FOSS service, but it's been doing good work on making GPG more 
accessible by tying into many services and putting them all in a sort of 
verification dashboard.


If keybase is new to you, here's my profile https://keybase.io/ryansb

The Fedora team could get a profile and verify the key(s) through 
github, the Fedora and Red Hat web sites, the Fedora magazine twitter 
account, and by having the Fedora team all sign publicly.


Combined with having the key on getfedora.org, it at least provides a 
measure of protection against our site being compromised. It also has 
the benefit of, if someone knows of any Fedora devs on Twitter or 
another service, they can follow the web of social-service trust. This 
isn't as good as if they had a direct path to the Fedora WoT through 
normal signatures, but it's much more likely to actually occur.


--
Ryan Brown / Senior Software Engineer, OpenStack / Red Hat, Inc.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

> If the site is compromised, most bets are off sadly. 

Yes, for people who look only in one place, the manipulated web server.
But that is the reason why the fingerprint has to pop up in different places
where it is hard to fake. Even if this one user can be tricked, others can
discover that the site is compromised if the fingerprint is independently 
recorded
many times elsewhere.

BTW, pointing to a key server is not the way to convince anyone. A key server
is a convenient way to get keys, not a tool to assure their authenticity.
So I don't think that there is much of an alternative other than someone 
stepping in
and provide some first-hand knowledge about the key.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Richard W.M. Jones]

On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik  
> wrote:
> > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > download images.
> >
> 
> Since Fedora looks to be moving to Live USB Creator (maybe Fedora
> Media Writer, TBD) as the primary download for Fedora 24, I wonder if
> the new tool automatically verifies the GPG signed hash file, and
> compares that hash with a computed one from the downloaded file?

If we had virt-builder metadata, virt-builder will check the SHA256
[by default] hash of the downloaded cloud image.  The hash is
contained in the GPG signed metadata.  To do this, virt-builder ships
with (or would ship with, if we had virt-builder metadata) the Fedora
GPG pubkey.  Currently SUSE are doing exactly this for their cloud
images.

Rich.

-- 
Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones
Read my programming and virtualization blog: http://rwmj.wordpress.com
virt-p2v converts physical machines to virtual machines.  Boot with a
live CD or over the network (PXE) and turn machines into KVM guests.
http://libguestfs.org/virt-v2v
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Mon, 22 Feb 2016 18:21:04 -
"Ralf Senderek"  wrote:

> While signing new keys with old release keys would certainly help to
> make the attacker's job harder, it doesn't solve the trust problem. 

I don't think it even makes their job harder. 

> The one thing people would have to check is the fingerprint. That in
> itself would be sufficient even if the new key is not being signed by
> another one. The current download gives a fingerprint for the new
> Fedora 24 key:
> 
> Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521
> 
> and this could as well be manipulated by the attacker who has access
> to the web server. Given that this fingerprint is actually correct,
> it would help if it was printed off-line in any publication
> authorized by Fedora. The use and distribution of the fingerprint to
> various places showing consistently the same information would make
> it near impossible to fake the key. If that had been done beforehand,
> all a new, ordinary user would have to do is to check this one
> fingerprint.

They would know that they should do this how? 

It is available on sks keyservers like keys.fedoraproject.org

> So please can someone convince me that the key above is really the
> right one? If so, using this fingerprint anywhere would help to build
> the trust that is not there yet.

In the end you are either trusting the https network or the gpg web of
trust. 

> Using HTTPS does not at all verify that the information you get is
> correct, it assures you of the correct origin, if https actually
> works as advertised, which in many cases it doesn't, But Red Had
> could publish the Fedora fingerprint as well on their servers. --

Sure, but who would know to look there?

If the site is compromised, most bets are off sadly. 

kevin



pgpMJjcnDPaiV.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Mon, 22 Feb 2016 16:48:29 +
Gregory Maxwell  wrote:

> On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik
>  wrote:
> > One has to jump into the installation guide, in order to find a
> > buried link to https://getfedora.org/verify  
> 
> The instructions here have you download a set of PGP keys from the
> same https webserver which could have been compromised to give you bad
> download instructions.
> 
> The Fedora 24 key inside it is not signed by any other key. (And even
> if it were, no instruction is given to verify the key authenticity;
> nor to seek out signatures on the key elsewhere (there is one on the
> MIT key servers, but it does no good to users following these
> instructions)).
> 
> This is security theater

Well, I agree the instructions could do better, but how would that help
if the site was compromised? The attackers would write their own
instructions. 

In addition to the verify link, the https://getfedora.org/en/keys/faq/
needs a good going over. 

Pointing people to the sks keyservers to download the key would be nice
and asking them to check the signatures for a web of trust link would
be great, but I am not sure how many people would care to do that or
have any links there. 

> I've previously complained that Fedora PGP keys are unsigned,
> otherwise unauthenticated, and shipped in the same location as the
> potentially compromised binaries; and that the verification does
> nothing to improve security against compromise of the main download
> site, or MITM near enough to it on the network to get a https cert...
> to no effect before.

If the site is compromised how would any of that help?

> Authenticating keys is hard in general; but existing fedora users
> should at least be able to trust-on-first-use chain from earlier keys
> to later ones-- assuming the fedora keys are kept offline and not
> compromised-- and the instructions should have them verify
> accordingly.  But this would require the keys being shipped are signed
> with prior releases key (or some static key signing key), and existing
> users being told to check for that. It would also be preferable if the
> keys were distributed on a separate server on a different network, so
> that https would protect users that didn't/couldn't verify the
> authenticity of the downloaded keys.

This is already done somewhat... the fedora-repos package has all the
keys in it from the time it was last updated. So, if you have a fedora
install you can check the key in fedora-repos. However, that still
doesn't get around the fact that the anchor of trust here is the ca
certificate system, or I suppose, best case it would be a web of trust
link back to the gpg key, but the web of trust is not that expansive
and random users who don't care about gpg likely wouldn't have any
links into the Fedora web of trust. 

kevin


pgpQdT6DRlmzY.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Ralf Senderek]

> On Sun, Feb 21, Gregory Maxwell wrote:

> The Fedora 24 key inside it is not signed by any other key. 
... 
> Authenticating keys is hard in general; but existing fedora users
> should at least be able to trust-on-first-use chain from earlier keys
> to later ones-- assuming the fedora keys are kept offline and not
> compromised-- and the instructions should have them verify
> accordingly.  But this would require the keys being shipped are signed
> with prior releases key (or some static key signing key), and existing
> users being told to check for that. 

While signing new keys with old release keys would certainly help to make the
attacker's job harder, it doesn't solve the trust problem. 
The one thing people would have to check is the fingerprint. That in itself 
would be
sufficient even if the new key is not being signed by another one.
The current download gives a fingerprint for the new Fedora 24 key:

Key fingerprint = 5048 BDBB A5E7 76E5 47B0  9CCC 73BD E983 81B4 6521

and this could as well be manipulated by the attacker who has access to the web 
server.
Given that this fingerprint is actually correct, it would help if it was 
printed off-line in any
publication authorized by Fedora. The use and distribution of the fingerprint 
to various places
showing consistently the same information would make it near impossible to fake 
the key.
If that had been done beforehand, all a new, ordinary user would have to do is 
to check this one
fingerprint.

So please can someone convince me that the key above is really the right one?
If so, using this fingerprint anywhere would help to build the trust that is 
not there yet.


> It would also be preferable if the
> keys were distributed on a separate server on a different network, so
> that https would protect users that didn't/couldn't verify the
> authenticity of the downloaded keys.

Using HTTPS does not at all verify that the information you get is correct, it 
assures you of the
correct origin, if https actually works as advertised, which in many cases it 
doesn't,
But Red Had could publish the Fedora fingerprint as well on their servers.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Gregory Maxwell]

On Sun, Feb 21, 2016 at 2:32 PM, Sam Varshavchik  wrote:
> One has to jump into the installation guide, in order to find a buried link
> to https://getfedora.org/verify

The instructions here have you download a set of PGP keys from the
same https webserver which could have been compromised to give you bad
download instructions.

The Fedora 24 key inside it is not signed by any other key. (And even
if it were, no instruction is given to verify the key authenticity;
nor to seek out signatures on the key elsewhere (there is one on the
MIT key servers, but it does no good to users following these
instructions)).

This is security theater.

I've previously complained that Fedora PGP keys are unsigned,
otherwise unauthenticated, and shipped in the same location as the
potentially compromised binaries; and that the verification does
nothing to improve security against compromise of the main download
site, or MITM near enough to it on the network to get a https cert...
to no effect before.

Authenticating keys is hard in general; but existing fedora users
should at least be able to trust-on-first-use chain from earlier keys
to later ones-- assuming the fedora keys are kept offline and not
compromised-- and the instructions should have them verify
accordingly.  But this would require the keys being shipped are signed
with prior releases key (or some static key signing key), and existing
users being told to check for that. It would also be preferable if the
keys were distributed on a separate server on a different network, so
that https would protect users that didn't/couldn't verify the
authenticity of the downloaded keys.
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Sun, 21 Feb 2016 23:21:58 +0100
Jens Lody  wrote:

> This can also be done before clicking the link-button, or the download
> splash is also shown without javascript. This should not be too hard
> to implement.

https://fedorahosted.org/fedora-websites awaits your ticket. 

Bonus points for proposed patch also. ;) 

kevin


pgp2H0cGaCoS7.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Sam Varshavchik]

Adam Williamson writes:


On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote:
> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
>
> >
> > On 21/02/16 21:31, Jens Lody wrote:
> >
> > >
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > >
> > > https://getfedora.org/de_CH/workstation/download/
> > >
> > > There's just a button, that directly downloads the iso.  
> > You must have javascript disabled for getfedora.org then - if it was 
> > enabled you would get the screen Kevin mentioned.
> >
> > Tom
> >
> I also thought that this can be the cause, so I explicitely enabled it
> before I checked the site.
>
> But even if a user does not enable javascript, the site should at least
> show a hint about verification.

This is all fairly besides the point, however, if we're talking about
the scenario that affected Mint. The attacker in that case was able to
modify the download pages themselves. It doesn't matter if the pristine
pages feature a giant pink unicorn holding a banner that says "VERIFY
YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can
modify the download pages, they just remove all the stuff about
verifying the download. Or, better, change the checksums so they
match...


Yeah, not much can be done about total 0wnage. But, that shouldn't be a  
reason to avoid doing something fairly simple that would mitigate partial  
0wnage. Making sure that instructions for verifying the hashes of downloaded  
ISO images are easily and readily visible would be a bare minimum, I'd  
think. I'm sure that the ISOs are not stored on the web servers themselves.





pgp7WnZ5jzfeU.pgp
Description: PGP signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Adam Williamson]

On Sun, 2016-02-21 at 23:08 +0100, Jens Lody wrote:
> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
> 
> > 
> > On 21/02/16 21:31, Jens Lody wrote:
> > 
> > > 
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > > 
> > > https://getfedora.org/de_CH/workstation/download/
> > > 
> > > There's just a button, that directly downloads the iso.  
> > You must have javascript disabled for getfedora.org then - if it was 
> > enabled you would get the screen Kevin mentioned.
> > 
> > Tom
> > 
> I also thought that this can be the cause, so I explicitely enabled it
> before I checked the site.
> 
> But even if a user does not enable javascript, the site should at least
> show a hint about verification.

This is all fairly besides the point, however, if we're talking about
the scenario that affected Mint. The attacker in that case was able to
modify the download pages themselves. It doesn't matter if the pristine
pages feature a giant pink unicorn holding a banner that says "VERIFY
YOUR DOWNLOAD!" in flashing 144pt Comic Sans - if the attacker can
modify the download pages, they just remove all the stuff about
verifying the download. Or, better, change the checksums so they
match...
-- 
Adam Williamson
Fedora QA Community Monkey
IRC: adamw | Twitter: AdamW_Fedora | XMPP: adamw AT happyassassin . net
http://www.happyassassin.net

--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Jens Lody]

Am Sun, 21 Feb 2016 23:08:23 +0100
schrieb Jens Lody :

> Am Sun, 21 Feb 2016 21:35:32 +
> schrieb Tom Hughes :
> 
> > On 21/02/16 21:31, Jens Lody wrote:
> >   
> > > I don't see any hint about verification, if I go to the
> > > download-site from germany:
> > >
> > > https://getfedora.org/de_CH/workstation/download/
> > >
> > > There's just a button, that directly downloads the iso.
> > 
> > You must have javascript disabled for getfedora.org then - if it
> > was enabled you would get the screen Kevin mentioned.
> > 
> > Tom
> >   
> 
> I also thought that this can be the cause, so I explicitely enabled it
> before I checked the site.

Oops, you are right.
I did not click on the link/button, after turning on javascript, just
without it.
I thought it is just a link to the iso as shown in the statusline.

Nevertheless:
> 
> But even if a user does not enable javascript, the site should at
> least show a hint about verification.

This can also be done before clicking the link-button, or the download
splash is also shown without javascript. This should not be too hard
to implement.

Jens


pgpe85Guzh4j0.pgp
Description: Digitale Signatur von OpenPGP
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Jens Lody]

Am Sun, 21 Feb 2016 21:35:32 +
schrieb Tom Hughes :

> On 21/02/16 21:31, Jens Lody wrote:
> 
> > I don't see any hint about verification, if I go to the
> > download-site from germany:
> >
> > https://getfedora.org/de_CH/workstation/download/
> >
> > There's just a button, that directly downloads the iso.  
> 
> You must have javascript disabled for getfedora.org then - if it was 
> enabled you would get the screen Kevin mentioned.
> 
> Tom
> 

I also thought that this can be the cause, so I explicitely enabled it
before I checked the site.

But even if a user does not enable javascript, the site should at least
show a hint about verification.

Jens



pgpp0h299PoLF.pgp
Description: Digitale Signatur von OpenPGP
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Jens Lody]

Am Sun, 21 Feb 2016 10:36:37 -0700
schrieb Kevin Fenzi :

> On Sun, 21 Feb 2016 09:32:46 -0500
> Sam Varshavchik  wrote:
> 
> > So, I see that someone hacked Linux Mint, and slipped in some
> > trojaned ISO download images.
> > 
> > As a curiousity, I went to https://getfedora.org, to see how easy it
> > is to find instructions for verifying the downloaded images.
> > 
> > I couldn't find it. There were many helpful download links, all over
> > the place, but mum was the word on any kind of a verifications.
> > 
> > One has to jump into the installation guide, in order to find a
> > buried link to https://getfedora.org/verify
> > 
> > This link is hidden very well. It shouldn't be. The fact is that
> > with Live images being the primary avenue for installing Fedora,
> > the need for an installation guide is greatly diminished.
> > 
> > Every link to download a Live image should have a link to  
> > https://getfedora.org/verify right next to it, so you can't miss it.
> > This should be a policy.  
> 
> It does. You just didn't look in the right place. ;) 
> 
> When you click on a download link, the site directs you to a page
> showing the download link and that it should have started downloading
> in your browser and then at the very top is a section talking about
> verification. 
> 
> https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso
> 
> "Verify your Download!
> 
> Once you have downloaded an image, verify it for security and
> integrity. To verify your image, start by downloading the proper
> CHECKSUM file into the same directory as the image you downloaded and
> follow these instructions."
> 
> (and then a big button to dowload the signed checksum file)
> 
> If you have ideas or thoughts around making things better, please do
> file a ticket with the websites folks and discuss it with them. 
> https://fedorahosted.org/fedora-websites/
> 
> kevin

I don't see any hint about verification, if I go to the download-site from 
germany:

https://getfedora.org/de_CH/workstation/download/

There's just a button, that directly downloads the iso.

Jens



pgpOKXZxJuaku.pgp
Description: Digitale Signatur von OpenPGP
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Tom Hughes]

On 21/02/16 21:31, Jens Lody wrote:


I don't see any hint about verification, if I go to the download-site from 
germany:

https://getfedora.org/de_CH/workstation/download/

There's just a button, that directly downloads the iso.


You must have javascript disabled for getfedora.org then - if it was 
enabled you would get the screen Kevin mentioned.


Tom

--
Tom Hughes (t...@compton.nu)
http://compton.nu/
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Zbigniew Jędrzejewski-Szmek]

On Sun, Feb 21, 2016 at 01:43:54PM -0500, Matthew Miller wrote:
> On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> > On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik  
> > wrote:
> > > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > > download images.
> > Since Fedora looks to be moving to Live USB Creator (maybe Fedora
> > Media Writer, TBD) as the primary download for Fedora 24, I wonder if
> > the new tool automatically verifies the GPG signed hash file, and
> > compares that hash with a computed one from the downloaded file?
> 
> AFAIK, it compares the computed hash with the one from the hash file,
> but I don't think it does GPG verification. There's some level of
> "turtles all the way down" going on here, though, because how do you
> know that LiveUSB creator is itself uncompromised, checking against the
> right GPG key, and reporting the results accurately?

Wasn't there a lot of discussion recently about how to sign LUC?

Zbyszek
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Matthew Miller]

On Sun, Feb 21, 2016 at 11:31:05AM -0700, Chris Murphy wrote:
> On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik  
> wrote:
> > So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> > download images.
> Since Fedora looks to be moving to Live USB Creator (maybe Fedora
> Media Writer, TBD) as the primary download for Fedora 24, I wonder if
> the new tool automatically verifies the GPG signed hash file, and
> compares that hash with a computed one from the downloaded file?

AFAIK, it compares the computed hash with the one from the hash file,
but I don't think it does GPG verification. There's some level of
"turtles all the way down" going on here, though, because how do you
know that LiveUSB creator is itself uncompromised, checking against the
right GPG key, and reporting the results accurately?

-- 
Matthew Miller

Fedora Project Leader
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Chris Murphy]

On Sun, Feb 21, 2016 at 7:32 AM, Sam Varshavchik  wrote:
> So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO
> download images.
>

Since Fedora looks to be moving to Live USB Creator (maybe Fedora
Media Writer, TBD) as the primary download for Fedora 24, I wonder if
the new tool automatically verifies the GPG signed hash file, and
compares that hash with a computed one from the downloaded file?


-- 
Chris Murphy
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

Re: More prominent link to verification hashes

[Kevin Fenzi]

On Sun, 21 Feb 2016 09:32:46 -0500
Sam Varshavchik  wrote:

> So, I see that someone hacked Linux Mint, and slipped in some
> trojaned ISO download images.
> 
> As a curiousity, I went to https://getfedora.org, to see how easy it
> is to find instructions for verifying the downloaded images.
> 
> I couldn't find it. There were many helpful download links, all over
> the place, but mum was the word on any kind of a verifications.
> 
> One has to jump into the installation guide, in order to find a
> buried link to https://getfedora.org/verify
> 
> This link is hidden very well. It shouldn't be. The fact is that with
> Live images being the primary avenue for installing Fedora, the need
> for an installation guide is greatly diminished.
> 
> Every link to download a Live image should have a link to  
> https://getfedora.org/verify right next to it, so you can't miss it.
> This should be a policy.

It does. You just didn't look in the right place. ;) 

When you click on a download link, the site directs you to a page
showing the download link and that it should have started downloading
in your browser and then at the very top is a section talking about
verification. 

https://getfedora.org/en/workstation/download/ws-download-splash?file=https://download.fedoraproject.org/pub/fedora/linux/releases/23/Workstation/x86_64/iso/Fedora-Live-Workstation-x86_64-23-10.iso

"Verify your Download!

Once you have downloaded an image, verify it for security and
integrity. To verify your image, start by downloading the proper
CHECKSUM file into the same directory as the image you downloaded and
follow these instructions."

(and then a big button to dowload the signed checksum file)

If you have ideas or thoughts around making things better, please do
file a ticket with the websites folks and discuss it with them. 
https://fedorahosted.org/fedora-websites/

kevin


pgpKG4bNQN1aq.pgp
Description: OpenPGP digital signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org

More prominent link to verification hashes

[Sam Varshavchik]

So, I see that someone hacked Linux Mint, and slipped in some trojaned ISO  
download images.


As a curiousity, I went to https://getfedora.org, to see how easy it is to  
find instructions for verifying the downloaded images.


I couldn't find it. There were many helpful download links, all over the  
place, but mum was the word on any kind of a verifications.


One has to jump into the installation guide, in order to find a buried link  
to https://getfedora.org/verify


This link is hidden very well. It shouldn't be. The fact is that with Live  
images being the primary avenue for installing Fedora, the need for an  
installation guide is greatly diminished.


Every link to download a Live image should have a link to  
https://getfedora.org/verify right next to it, so you can't miss it. This  
should be a policy.





pgprVCCp3WXuR.pgp
Description: PGP signature
--
devel mailing list
devel@lists.fedoraproject.org
http://lists.fedoraproject.org/admin/lists/devel@lists.fedoraproject.org