Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 587486 - Provide installation files with attached GPG signature and make them default in the handbook
Summary: Provide installation files with attached GPG signature and make them default ...
Status: UNCONFIRMED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal enhancement with 1 vote (vote)
Assignee: Gentoo Release Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-06-29 08:08 UTC by terabit.funtoo
Modified: 2016-10-27 01:48 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description terabit.funtoo 2016-06-29 08:08:28 UTC
Hi,

Currently the gentoo installation procedure pertains downloading a livecd (optionally), a stage3 and the portage tarball (or use webrsync).

In order to verify these, users have to download a separate detached signature file (.asc) , verify the '.asc' file and cross check the hash in the '.asc' file with the downloaded file (e.g.: sha512sum -c ....).

GPG lets users create a signed file (plain --sign option) where users have to decrypt it with the public key of the signer in order to use it. 

My suggestion is to have mirrors host a gpg signed installation livecd, stage3 and portage tarball, and have the gentoo handbook instructions instruct users to import release signing keys and decrypt their download before they can start using the downloaded files.

Example:

---------------
Bob@host ~/gpgtst $ ls -lah
drwxr-xr-x  2 Bob Bob   69 Jun 29 10:40 .
drwx------ 80 Bob Bob  16K Jun 29 10:05 ..
-rw-r--r--  1 Bob Bob 700M Jun 29 10:38 livecd.iso

Bob@host ~/gpgtst $ sha512sum livecd.iso 
d446d3e2b8d8e19463c54bc1fc6f142435eee483b06dcc1cbdd25a07f893d8e90b2a9144e68564ef59aa97d9da022ff0410ce3b29b4098f46e6c0a76254b1709  livecd.iso
Bob@host ~/gpgtst $ time gpg --sign livecd.iso 

real    0m17.806s
user    0m13.021s
sys     0m1.236s


Bob@host ~/gpgtst $ ls
livecd.iso  livecd.iso.gpg
Bob@host ~/gpgtst $ time gpg --out install-livecd.iso --decrypt livecd.iso.gpg 
gpg: Signature made Wed 29 Jun 2016 10:39:46 AM  using RSA key ID 44F5B547
gpg: Good signature from "Bob-Host (GPG key for Bob used for encrypting FDE keys among other things) <Bob@host>" [ultimate]

real    0m9.596s
user    0m6.868s
sys     0m0.705s
Bob@host ~/gpgtst $ sha512sum install-livecd.iso 
d446d3e2b8d8e19463c54bc1fc6f142435eee483b06dcc1cbdd25a07f893d8e90b2a9144e68564ef59aa97d9da022ff0410ce3b29b4098f46e6c0a76254b1709  install-livecd.iso
Bob@host ~/gpgtst $ 
---------------------------------

It takes 17s to sign the .iso file and 9 seconds to decrypt it (inside a VM too!).

There are two obvious facts:

1) most users don't verify hashes or bother with gpg verification
2) users would use gpg if it was the default method and it did not involve burdensome steps to use it.

Not having a detached signature would mean users *have to* decrypt the downloaded signed file before using it, this is a simple two step procedure.

1) Import PGP public keys used to sign the files(manually 'copy-paste' the correct fingerprint from the gentoo installation handbook for this step)
2) Decrypt the downloaded .gpg file (as shown above,just run gpg --output file --decrypt file.gpg)

I am not suggesting to stop the use of detached .asc/digest files, or to stop mirrors from hosting plain installation files. my suggestion is to have this option and make it a default. 

If this is done, I am confident most users will be using verified gentoo installations. this will increase security for everyone. 

Per irc discussion in #gentoo-chat, this could be used also for ebuilds and tarballs with portage, it will only require the signing keys to be imported once  during the installation/setup of the OS. 

Thanks in advance for considering this request.
Comment 1 sn0wmonster 2016-07-02 02:43:14 UTC
This should be standard in all distros and it's shocking that it's not. Please fix this.