Hi everyone! Wanted to get a little post going here to see if other groups/users out there would chime in on if RPM signing would be important to your groups. Noting the documentation here, it's on the road map, but no one is really clamoring for it. Our group is interested in having our rpms signed for a number of reasons:
-
Mirroring and/or Distributing Packages – In the Fedora (and many others) universe…packages are built and signed on an upstream server, then delivered out to a mirror system (Universities, Not for profits, etc). Each of those downstream mirrors have their own valid SSL/TLS certificate, however the actual content of the packages could be tampered with. Say for example, a school pulls in a fedora mirror and provides it to the world, people around the world can trust that a rogue school employee is not going to tamper with the RPMs, because if they do, they will not match the signature provided by the distribution. This lets the RPM pass through as many channels as needed, but still give the end user a way to verify that it has not been tampered with. That signature lets me verify that whoever I think the package came from, actually packaged it, no matter how it got to me in the long run
-
Defense in depth – One of the best practices we as a group try to follow is Defense in Depth. The overall thought here, is that having multiple layers of security is beneficial, so in this instance, even though TLS/SSL is secure, if it were to ever be compromised, we would have another layer of protection with the package signatures in place.
-
User behavior – Our security office strongly encourages folks to follow best security practices. Having them turn OFF a security check for something like yum update repos re-enforces a bad behavior.
Thanks!!