I went ahead and read the code. I found out that the kernel and ramdisk images
in /boot/upgrade are *not* extracted from any PGP-signed package. They are
downloaded one by one, apparently from one of the mirrors
in "installmirrorlist".
I also found these comments:
# FIXME - check the packages? Durrrrrrrrrrrr
# TODO: gpgcheck downloaded pkgs
# File exists and it's the right size.. guess it's probably OK
# We should be doing some integrity checks but we don't have
# anything to check it against - la la la la
The last one talks about the kernel and ramdisk images.
So no check is performed on the installer kernel before it's booted, no check
is performed on the installer's root filesystem before the programs therein
are executed, and the packages aren't checked either – at least not while the
trusted, already installed OS still has control.
I've got my answer: Preupgrade is not secure. I'll continue upgrading the way
I've done it before – either with Yum or from a DVD image on a USB stick.
Rahul Sundaram wrote:
> gpg check is during the installation/upgrade phase.
That would be OK if the installer itself were checked before it's booted, but
since the installer is completely unchecked it can't be trusted to check
anything.
> > That still leaves the files in /boot/upgrade, which contain executable
> > code but which are not RPM packages. Did they come out of an RPM package
> > whose signature was checked?
>
> They are.
As I wrote above, that turns out not to be the case.
> Yes but more questions about internal details on how it all works can be
> either posted to fedora-devel list or anaconda-devel list. There might
> be things folks have missed in the process.
The comments in the code show that the authors already know they "missed" all
the signature checking.
Björn Persson
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
