On Monday 25 February 2008, Johnny Hughes wrote:
Jeff Sheltren wrote:
...
Johnny, could you let us know your reasons for wanting to point to the remote GPG key?
We DON'T allow downloads of ISOs from centos.org servers due to bandwidth considerations. It would be fairly easy to put out an ISO that had different RPMS and a different key.
Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose.
Since we do control the content of every mirror.centos.org server, we know that the key file is correct. In order to make that key AND the RPMS be bad, they need a doctored CD *AND* they need to hijack our content by DNS poisoning or getting control of our servers.
I just think if you are using the internet anyway, why not also get the key from a known location.
I agree that there's something intuitively right about that, but, unfortunately it's wrong :-)
Here's why.
We have to assume that the install the user has is intact and uncompromised. Why? Well, if it has been compromised in any way then not only could it contain a malicious /etc/pki, it could of course have different gpgkey= lines in the .repo files...
It will have to be up to the user to make sure (with our help, signed .isos, installers that check rpm signatures and stage2 signature) that he/she has an ok system. If they fail then they don't really run centos, they run haxx0r os and any attempt to validate anything inside that will fail.
/Peter