Social engineering attack -> no best practices in crypto on website: how to contact website team to solve that? (no immediately exploitable vulnerability, but practical in future in some circumstances)

How do you plan to use Sigstore? It looks like its dependent on certificate authorities.

Unfortunately, only providing sha256sums on getfedora in the current architecture of our ISO provision does not cover all scenarios. Thus the additional signature on the mirror. However, to cover your case as well, we already added above the goal to add the sha256sums to the verify button: if you get your ISO from getfedora, you can rely on that and ignore the gpg files (that shall be noted in the verify button box, that you do not use gpg in the getfedora/sha256sum case, to create certainty).

I didnā€™t check Sigstore yet. But keep in mind that you rely on the CAs in any case: if you get the gpg file of Fedora on getfedora.org, you rely on the CAs to ensure that it is actually the real getfedora.org you get the gpg file from. The same with the mirrors.

Removed commops-team, mindshare

I didnā€™t have any plans. I said it would be worth looking at.
It might be that it doesnā€™t work at all for us, or that we would need a
bunch of changes to have it work, or it might give us ideas. :wink:

I just think there should be a better (secure) way to verify things than
depending on a user learning gpg or painfully checking a bunch of
numbers. But I admit itā€™s not an easy problem.

We already have Fedora Media Writer as the recommended tool that should eliminate the need to explicitly verify the images.

The discussed problem is only relevant for users who choose not to use the recommended approach.

We just need to switch from cleartext to detached signature format and this should be enough to resolve the issue.

Itā€™s great if the Fedora Media Writer has the integrity checks built in for each of the editions/spins, on each of the available platforms (i.e. Linux, Windows, macOS).

Just a few ideas about the Fedora Media Writer:

  • Arenā€™t the performed checks exposed to the issue raised here (e.g. the checksum information is not retreaved from mirrors)?
  • Shouldnā€™t this information about integrity verification be made more visible on the download page? If someone reads the linked docs page about the media writer carefully, they might understand that it does perform the needed checks. A short phrase on the download page (maybe in the We take security seriously section) would raise visibility.
  • Many Fedora desktop edition users are using Fedora in VMs. Maybe a Download only instead of Download & write option in the media writer could make it be used for these scenarios too.
  • The media writer is the only package in the Fedora Workstation edition that installs Qt libraries as dependencies (in the base install) afaik. It would be great to have it as GTK app too ( also given that Qt apps donā€™t look good on GNOME). Minor issue though.

Security has social (and economics) elements, too. And even from a technical perspective, the Media Writer can be questionedā€¦

Two things about the media writer: on one hand, users are used to ISO files (which is also put in their minds by many sources & references) and thus it is questionable if many use the Media Writer (when people see something that makes sense at first glance and something that does not, they are likely to choose in cognitive dissonance the first). On the other hand, it is questionable if the Media Writer can be considered a good practice: people migrate from different systems, and urging them to install foreign code on their system just to get an ISO is like urging them to install third party repos in Fedora (if not worse as it is easily avoidable).

Also, big problem: the Media Writer assumes that every user with Linux who wants to get Fedora has flatpaks in service. I donā€™t know about 100% compatibility in different Mac/Windows variants.

Additionally, I am not sure if the Media Writer covers all scenarios about what users might want to do with the ā€œresultā€ they get - can users click through to just get the ISO without providing a device to get ddā€™d with Fedora? Not sure here, so maybe that point is obsoleted.

You assume every user is fine and able to use gpg off the cuff. We ainā€™t Arch, we have also an audience that might be not capable to reliably do that in an acceptable amount of time and without external help. Think about the cases we handle in ask.fp. Security needs to be sufficiently intuitive to be used by people. If the entry barrier (e.g., time investment) is too high, people will (depending on the situation, they even have to) reject it. Also, people avoid to do things that make them feel to be dumb or to have no idea.


Adding the sha256sums to the page should not take too much efforts, and it is something very easy for all users, it is widespread (some link hashes and such already to security and/or integrity in their minds), and in any case, a good and widespread practice that is widely encouraged and promoted. Also, afaik, on all modern systems, there is also no need to install something (I am not sure about gpg in the latter respect?).

While Fedora Media Writer is greatā€¦ itā€™s not the answer for all our
deliverables. Itā€™s mostly targeted to live media. We also make: ostree
installer images, netinstalls, server dvd, server netinstall, vagrant
files, qcow2 server vm images, and moreā€¦

1 Like

@dobymick I could not yet open a ticket for your suggestions upstream. Feel free to do so if you want a chance that changes arrive before F41 is released. Iā€™m not sure if that is still realistic at this time, but I expect I will not be able to do it before end of the month or so.

I donā€™t think thereā€™s much desire to change anything in f41 now, we are
in run up to the Beta release, I think f42 is a more realistic target
for change. But of course it could be consideredā€¦

1 Like