#262 Don't use checksums in the update announce mails anymore
Closed: Fixed None Opened 11 years ago by lkundrak.

The preferred way to check integrity and authenticity of packages is GPG.
(Not sure which component to file this against, please reassign if appropriate)

19:04 <lkundrak> what algorithm is used for checksum in the update mails?
19:04 <lmacken> sha1
19:06 <lkundrak> until very recently i thought it was md5, and I was going to ask you to remove it. But as it's not, could you please either add there a statement that it's a sha1
sum, and how to check it, or remove it? We sign the packages iwth gpg and it ensures both the integrity and authenticity
19:06 <lkundrak> i doubt anyone uses the checksum anyways
19:06 <lmacken> what would the "proper" way to check it be ?
19:06 <lmacken> especially if people just get the updates from yum
19:07 <lmacken> yum does that for us
19:07 <lkundrak> that's why I think the checksum is useless there :)
19:07 <lmacken> yeah, very true
19:07 <lmacken> I'm not sure how much value the filelist provides
19:08 <lkundrak> well, it is usable for people that don't use yum
19:08 <lmacken> yeah.. so what do you recommend I put in the template ?
19:08 <lkundrak> don't tell me there's none -- I don't for some cases :)
19:08 <lkundrak> I'd just remove the checksum
19:08 <lkundrak> and maybe tell people that the packages are signed
19:10 <lkundrak> The packages are signed with key Fedora Project Extras or Whatever (0xabcdef0123)
19:11 <lmacken> ok

So, in short:

  • Remove SHA1 checksum
  • Add a line that states
    {{{All packages are signed with GPG using the key: Fedora Project fedora@redhat.com (0x4F2A6FD2)}}}
  • The key name would vary between testing and stable, I'm not completely sure whether it's necessary to include it.

I think at the same time, it'd be good to have a page with the Fedora gpg key info (fingerprint, type, expiration, all that good stuff). This page could be referenced in the announcement mails so that anyone who wants to do a little more verification of the key can do so. This could be similar to http://www.redhat.com/security/team/key/

tmz: http://fedoraproject.org/wiki/Security/Keys
I just created this. Please modify it to incorporate your ideas. Thanks!

Nice work Lubomir! I did a little editing. Hopefully I haven't introduced too many typos and errors in the process. I think mmcgrath mentioned in irc that such a page may be best to have outside of the wiki. So perhaps if we get the content in good shape, it can then be moved somewhere a little more secure than the wiki. Of course, that may mean that some work will need done to convert from the wiki formatting to html.

Just a note for myself: Once this is complete, Bug [https://bugzilla.redhat.com/show_bug.cgi?id=417201 #417201] can be resolved.

Red Hat is stopping using MD5 for thier advisories on Jan 1st 2008. It might be a good day to do the changes to bodhi also. I will polish the keys page a bit till then and ask Mike McGrath to move it out the wiki.

Bodhi /could/ display the GPG key for the corresponding package, but I'm not sure if that provides anyone any value. What do you guys think of something like:

All packages are signed with the Fedora Project GPG key. More details on the
GPG keys used by the Fedora Project can be found at

Having this information on the wiki may not be the best idea. Should we lock the page down to only a certain group of users, or maybe move it to docs.fp.o ?

I ported the Security/Keys wiki page to genshi: [http://lmacken.fedorapeople.org/keys.html http://lmacken.fedorapeople.org/keys.html], and sent the patch to mmcgrath. This will eventually live at http://fedoraproject.org/keys.

Bodhi no longer generates checksums for update notices.

Login to comment on this ticket.