On Fri, 11 Aug 2000, Kurt Seifried wrote:
Wrong answer. USE GNUPG. Ok the problem with MD5/SHA1/etc/etc is for each package I need to get you the package, and the sig securely. With GnuPG I need to get the key to you securely ONCE, i.e. SuSE ships the keys on the CD. SuSE cannot ship all the future MD5/SHA1/etc sums on the CD for obvious reasons.
Kurt has is a great answer. It is probably the strongest tool available. By the way seems nearly as secure to md5/SHA1 sign, and then for the signature to be distributed independently signed with a trusted key. That is Roman's signed email announcements. But at the risk of repeating the obvious, I will paraphrase Phil Zimmerman's pgp READMEs: it is only as safe as the computers hosting the signing and checking code. If an attacker trojaned your local GnuPG binary or tampered with your public keyring, he could get false signatures past you. And the trusted suse private key (using suse as an example) may be shared among a number of employees, and it may even be used for automatic code signing (eugh!) It would just take one of them to allow their private keyring to be stolen - and until they notice and get an announcement to you - you are vulnerable to man-in-the-middle attacks. So independent sources may still be a useful weapon in the armory. <SNIP>
fun. When something breaks, *I* want to be the reason why. :>
Security has to be automated as much as possible. What happens when companies roll out 5000 linux desktops?
Quite. And you will be automating firewalls, tripwire, config file distribution and many other weapons. It may make sense to download updates only once (by your admin) manually, verify them and sign them with an in-house key, and then distribute automatically to 5000 workstations. There are other non-security benefits to this. BTW IMHO the key doesn't need to be on the CD to be trusted. The SuSE key fingerprint is in chapter 18 of the manual. If you get a paper manual it is reasonably independent of the Internet. dproc