[CentOS] yum/RPM and Trust on First Use

Wed Dec 16 03:05:12 UTC 2015
Alice Wonder <alice at domblogger.net>

I'm not on the yum / RPM list and I don't know that I want to join just 
to discuss this but with respect GPG keys - it is a classic example of 
trust on first use.

The first time yum installs a package, it asks to import the GPG key 
used to sign the packages. Most people accept without validating the key.

This is potentially exploitable because most repositories are http

What if there was a DNS TXT record that corresponds with the repository, 
with the fingerprint of the key?

The DNS record could be DNSSEC secured (I believe Fedora already uses 
DNSSEC - some of their servers anyway) and yum could refuse to ask if 
the fingerprint of the key it is importing does not match the DNSSEC 
secured fingerprint.

Something like TXT record for


could be requested for the fingerprint for security at centos.org

Advantage over gpg keyrings is that it can be implemented by anyone 
without needing to manage your keys with specific gpg keyrings, which 
has always been messy.

When yum is first asked to import a key, it refuses if it can not DNSSEC 
validate the fingerprint.

After it DNSSEC validates the fingerprint, it can then does what it 
currently does, where the user can verify they trust the key.

To get a fingerprint in the centos.org zone and signed by DNSSEC would 
not be easy for a malicious packager to do.

Furthermore when a signing key has been compromised (happened with 
Fedora once) changing the DNS record would prevent the key from being 
imported in the future, and could even prevent packages signed by that 
key from being installed in the future even if the key is already imported.

For offline yum usage, a switch could be used to tell yum not to do the 
DNS lookup and DNSSEC validation.