Fedora verification process

Not sure if this is the right place to post this, but is there any reason that the verification process for downloading Fedora ISOs requires using GPG signatures? A while ago there used to be an option to just get the SHA256 checksum directly from the website which was much simpler and more streamlined (with the option of using GPG on top if desired), unfortunately now the checksum files are hosted on mirrors instead of the main site so GPG must be used to properly verify the file. This seems unnecessarily circuitous, it’s certainly not more secure since the GPG keys are still being verified from information on the same site that the checksums used to be hosted on so if the site or TLS connection get somehow compromised then you’re screwed either way.

I mainly just rely on the media check at boot time :stuck_out_tongue:


The Checksum file they link with ISO downloads has SHA256 hashes in it plaintext, and that could be hand-checked with sha256sum on the iso.

I’m not sure on how truly secure that is or could be. Convenience-wise I’d rather do the above before importing GPG keys and gpgv.

Hashsums dont tell you anything about the security of a file. The only attack vector they defend against is already mitigated by using HTTPS.

GPG is needed, if you have a trusted source for the public signing keys, best multiple ones.

1 Like

From Project Discussion to Ask Fedora

Added gpg, installation, security and removed security-sig

Fedora images and checksum files are hosted by third-party mirrors.
TLS cannot protect you from spoofing by the hosting provider.
GPG is necessary to verify the authenticity of the checksum files.

3 Likes

At https://fedoraproject.org/security you can see how to show the gpg keys with fingerprint and it also shows hat the fingerprint is supposed to be. For Fedora 40 it should be

115D F9AE F857 853E E844  5D0A 0727 707E A15B 79CC

Lost track of this for a while having gotten tied up with other things, but my point here is that there’s no reason the Fedora verification page can’t just directly host the SHA256 sums. As things stand, yes, you do need to verify the GPG signatures because the checksums are distributed by a third party, but the text files containing the checksums are so small as to not be worth pushing out via mirrors, it takes more bandwidth to serve up the page with the link to the checksum than the checksum file itself. And if the checksums were hosted directly you would no longer require the signatures to verify them. This is already how many other distros do verification, and Fedora used to directly host the checksums as well iirc.

This is still ultimately secured by TLS though, it’s no more secure than if they just posted the checksums directly on the same page. It’s just creating unnecessary inconvenience.

I don’t consider it an inconvenience, but rather a great convenience.

If the checksum is displayed on the page it requires that the user copy that long value and paste it into their computer for comparison, or to visually verify the sha256sum of the downloaded iso matches what is on the page.

I download the file then run sha256sum -c *.CHECKSUM and it eliminates several times where there is the possibility of human error. One step to download the iso file, one step to download the checksum file, one command to verify the iso file, – completely done. No human fallibility involved.

uh… you mean one command to check the hash, in addition to two commands to verify the authenticity of the checksum file

I don’t consider this a great convenience.

Also, I don’t think this topic was about what form the checksum comes in (displayed vs file), but about where the checksum file is served from (fedora vs mirror).

I see no significant security risk whether served directly from fedora or from a mirror.
The verification and confirmation of authenticity is checked at every stage. It is checked at the mirror when the mirror syncs with the fedora repo, then is checked again at the users machine when downloaded there, all of which happens before the files are used to perform an installation or update.

The only differences are that checking an iso for accuracy is done manually at the user level, while rpms are done automatically during an update process.

If you don’t trust the mirroring process then you may not ever want to use linux in any form since almost all the distros use mirrored repos.

The contents of these repos are verified with hashes and signatures that ideally come directly from the distro’s servers, or a trusted keyserver, rather than one of thousands of random mirrors.

But the mirror could be malicious or get hacked.

Yes but what I believe @positron was saying was that simply checking an iso with a checksum directly from Fedora is as secure as checking it with a checksum from a random mirror and then checking the checksum with a gpg key directly from Fedora.

Nailed it - it’s secure, but unnecessarily circuitous. Hosting the checksum file directly means you get the same level of security without the additional step of signature checking. Having the signatures available still makes sense because I imagine some users will have the keys installed for development or other purposes and in that case that would be more convenient, just for the occasional downloader it’s simpler to directly grab the hash file.

By way of example Debian hosts the checksum files directly, so users can download them without using a mirror (with GPG also being an option)