On Wed, Jul 15, 2009 at 10:03 AM, brian<fedora@xxxxxxx> wrote: > I just tried to run software update again and got the following msg: > > -- snip -- > Do you trust the source of the packages? > > Repository name: updates > Signature URL: /etc/pki/rpm/-gpg/RPM-GPG-KEY-fedora-i386 > Signature user identifier: Fedora(11) <fedora@xxxxxxxxxxxxxxxxx> > Signature identifier: D22E77F2 > Package: xfsprogs-3.0.1-6.fc11 > > Do you recognise the user and trust the key? > -- snip -- > > Well, yes, I recognise that. But how can I know to trust it? I see the email > address is at fedoraproject.org but I have no idea how to interpret the > "Signature identifier" nor whether updates can be spoofed. I'm not being > paranoid--I figure this may have something to do with the recent updates > issue and it's probably fine. I'm just curious about this. What criteria > should I use to decide whether or not to accept this? That's actually a very hard question. Asking someone else to tell you what to trust implies you already trust the person whom you are asking. How exactly do you make the determination to trust what I'm going to tell you if you don't know how to assign trust already? Even if you do trust the person I am claiming to be, how do you know I'm really that person and not someone sitting at his desk while he's getting coffee and forgot to lock his computer screen? Deep. What a GPG signature on a package lets you know is that a person signing the package is the person who had access to the key(typically password protected key). That is all it does. Everything else is your discretion and judgement as to whether you trust that person or the package. When you see a GPG signature which purports to be the key for a specific repository how do you know it really is the key the repository admins are using? I could easily produce a new GPG key meant to confuse you and sign packages in my own repository with that key. I could then trick you into configuring that repository. How would you verify that my key was not the official Fedora project key? The most practical thing to do it is to go to the repository in question and independently verify the key they are using. In the case of Fedora: http://fedoraproject.org/en/keys Is that enough of a trust verification for you personally? If I told you it was, should you trust me about that? Even then, can you be sure the key you are seeing on that website is the right key? You could look for it on a 3rd party gpg key server like pgp.mit.edu.. but again then you have to trust that it wasn't uploaded by someone else. To trust a key beyond that you need to use a "web of trust" metric which examines who has signed the repository key. For real people...an entire protocal has been established for meeting face-to-face and signing each others GPG keys after verifying each other's identify via government issued documents like drivers licenses or passports. This process if adhered to builds a "web of trust." If you have met me and certified that I am who I say I am..and trust me to verify the identify of other people in a similar manner...you can assign trust to the validity of any GPG key I have personally signed. And on and on..making a network..of mutually signed keys..backed by face-to-face identification verification. But how exactly would you do that with a project wide or repository key? Hmm? gpg /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-i386 will give you the necessary information to do a lookup on pgp.mit.edu For the project key. For the F10 key I see jkeating has signed it. Do I trust jkeating? Yes. Not with my life but with my computer systems sure. Do I trust that is actually jkeating's digital signature? I haven't signed his key so I've not done the necessary verification myself. So how do I know? Well if you look at signed his key...and then you look at signed their keys...on and on..eventually I may find that I have signed someone's key in the web of trust associated with jkeating's key. Assuming everyone in the link between me and jkeating in the GPG web of trust did everything they were suppose to do to verify identity...then I can probably trust the that the key really is jkeating's key and thus jkeating trusts the key claiming to be the Fedora 10 key. But what if I don't trust anyone in the web of trust around the jkeating key? See how deep this is. Unless you already trust someone, you can't trust anyone. Even the personal verification protocal can be abused if people want to use false identification. Very few of us are equipped to actually detect false government documents. Deep. And that's just a discussion of the complication of defining trust strictly in terms of identity...without talking about trust as a value judgement. You could trust my key to be my key...but you may not trust me to create non-malicious packages. Deep. -jef -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines