Re: [EXT] Re: [qubes-users] Hardening Guide for Paranoid Noobs?

Tue, 15 Sep 2020 16:33:10 -0700 

On 9/9/20 3:45 AM, Andrew David Wong wrote:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

On 2020-09-07 5:42 PM, Andrew David Wong wrote:


On 2020-09-05 12:35 PM, 'awokd' via qubes-users wrote:

If you're concerned about Fedora's lack of signing, switch to
Debian templates, or some other that has signing.


This is a misconception. Fedora packages are absolutely
cryptographically signed by PGP keys. The signature verification must
succeed, or else the package will not be updated or installed. You can
prove this for yourself by temporarily moving/renaming the signing
keys, then trying to install a package.

The real issue is about signing repo metadata. See these threads:

https://groups.google.com/g/qubes-users/c/HHedtfDFdj4/m/dap-D0nwEwAJ
https://groups.google.com/g/qubes-users/c/cNwCH3rcIGk/m/grr1yJktDAAJ
https://groups.google.com/g/qubes-users/c/X0GvIdpQtcM/m/Tey9k_geWGUJ



Follow-up:

https://github.com/QubesOS/qubes-issues/issues/1919#issuecomment-689245921
Being a long-time SUSE user, I'm somewhat surprised, assuming that Redhat and SUSE would use a similar mechanism. For SUSE the metadata root (metadata files, their sizes and their checksums) is signed. see https://en.opensuse.org/openSUSE:Libzypp_metadata_signature
- -- Andrew David Wong (Axon) 
Community Manager, Qubes OS
https://www.qubes-os.org

-----BEGIN PGP SIGNATURE-----

iQIzBAEBCgAdFiEEZQ7rCYX0j3henGH1203TvDlQMDAFAl9YM6AACgkQ203TvDlQ
MDA/RxAAwi0TYbqNgyuaJpEpY/lX6UhxVbDPyexrl3ao2ycRTeIXCKguLimjLIT9
o9QARbQTfCdHR0GdAGIE+f3q86HDnF+WIeUCUJuV0WRYI9JcrmgOXFxcBACpw2qI
FmRC7JyqGvLg+hE3lPQUFtdNgnK6/Xxp4s0QrlJEr9UjXCv6UAQ5SVe3cxwVFWi2
PIHRqaxWIUauVMUIkrrBEWhcaoRVJgWNIAkepF3ScjaHkojnDBdPJ2Df5ckC34Rg
aAUoRFSbRnxGyQdekkXQP1XMKb7Hmf21p8FR6TiUVI46TfrTgF5xeG8U1cmV2K5F
P+b4rty2sVOVOT47hq0EIBgAkeBBQXMNJ4ebeGyju2o1vc0kcgIjbQvBYXevMZvW
SPP+yKIQQ9GfP3Nr4pPab/3JX0sZivdT1xPVeV/BQxU9Xc4X3N5gYqpJKJxEjHtO
JWK6HPn0JsX3uyC4UBGpLrwLvyyzKuxcyf3JiIl26xDORTIFu62oa16Guo/2Pee3
LdQcXEQ1K3ZtfetppCisdrjuKiXmN+hZG8PnIsAoro4NWW6VkUTixFSzU37ykMb7
1/H8E8OKXXCGDyXbMU84A+G5LvFc0PQkZxtPGTZ1mw8juXdtpSEGwWeReCeH4fY1
Z6cQf5JHfSI8ypw6dwBLoyzROEsReHa2CwAH/XtybhV6Rq7zjwQ=
=7itL
-----END PGP SIGNATURE-----



--
You received this message because you are subscribed to the Google Groups 
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to qubes-users+unsubscr...@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/qubes-users/1951e941-19f3-5257-c9e6-dcbc06adf94d%40rz.uni-regensburg.de.

Reply via email to