[Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives
https://sourceware.org/bugzilla/show_bug.cgi?id=28204 --- Comment #20 from Mark Wielaard --- (In reply to Frank Ch. Eigler from comment #18) > > Doesn't that give a false sense of "security"? > > It still rejects some stuff, but doesn't really protect against "falsifying" > > files, all a server has to do is not provide an IMA > > Yes, but trusted servers won't just do that. But isn't the idea of checking the IMA signatures that you don't have to trust the server providing the debuginfo files as the distro intended them? > > If it is just to see what would happen if enabling ima file checking, then > > it probably shouldn't reject anything. In that case it should warn for both > > missing and invalid signatures, but still accept them. > > The difference between missing and invalid is that the latter is KNOWN bad. > An invalid signature is evidence that the file has a problem. And a missing signature is UNKNOWN bad? So both are bad in some way. Which imho means that if we support some kind of permissive mode, then it should explicitly warn for both kind of baddness. -- You are receiving this mail because: You are on the CC list for the bug.
[Bug debuginfod/28204] extend webapi / verification with forthcoming signed-contents archives
https://sourceware.org/bugzilla/show_bug.cgi?id=28204 --- Comment #21 from Ryan Goldberg --- (In reply to Mark Wielaard from comment #20) > But isn't the idea of checking the IMA signatures that you don't have to > trust the server providing the debuginfo files as the distro intended them? But this will allow for the case of a trusted server which only has some of it's RPMs per-file signed. Take for instance a server which has the RPMs for f36,37,38. The f36 files don't have signatures so using enforcing here is too strict since we are ok just letting a client know that these ones are unverifiable, but we still want to be able to reject any of the invalid ones for f38 > So both are bad in some way. Which imho means that if we support some kind > of permissive mode, then it should explicitly warn for both kind of baddness. In the permissive mode you'll get: * "the signature is valid" for valid sigs * "ALERT: this download is being rejected since the IMA signature could not be verified" for invalid sigs * "the signature could not be verified" otherwise So we do warn for both kinds of bad, we just don't reject the 'unknown' bad -- You are receiving this mail because: You are on the CC list for the bug.
