On Rocky Linux’s Download page, the ISO and CHECKSUM links point to identical-looking download.rockylinux.org URLs with only the final filename component differing.
Am I correct, then, to assume that the ISO and CHECKSUM files are likely being downloaded from the same mirror site?
If so, that’s arguably bad for security. If an attacker compromises the mirror site, they could replace the ISO and CHECKSUM files together, which makes the CHECKSUM file useless for detecting malicious tampering.
Like other distros (Fedora, CentOS), it would be better to host the CHECKSUM file on the main website (rockylinux.org) or some other highly-secure non-mirror site. That way, an attacker looking to tamper with the ISOs without users noticing a checksum mismatch would be forced to compromise multiple sites simultaneously (the site hosting the CHECKSUM, plus the mirror sites hosting the ISOs), which should be far more difficult to pull off than just compromising one mirror site.
For now, though, I’d like to confirm that the CHECKSUM file I downloaded is authentic.
Are the checksums posted in any other official locations, like maybe a git repository?
BTW, it would also be helpful if the CHECKSUM file contained a GPG signature (see Fedora).
The primary mirror (which all of our mirrors get its content from is download.rockylinux.org or dl.rockylinux.org. The CHECKSUM files are signed with our GPG key with the accompanying CHECKSUM.sig sitting along side it, which you can find by browsing through those links provided. In fact, in the ISO directory here the signature is next to it. You can also view this page to help verify images.
Okay, so download is the primary mirror and not a redirect to some local mirror.
Nevertheless, my point remains: The website’s Download page – and also the documentation page you linked – is directing users to download the ISO and CHECKSUM files from the same server. That’s not a good idea because an attacker who compromises that one server can replace both files at the same time. The CHECKSUM link should point to a separate server from the ISOs. Or, alternatively, display the checksum values directly on the Download page (like Ubuntu).
So now I’m looking at verifying the GPG signature. But, when I go to the Documentation > GPG Key Info page, the key links all use a dl.rockylinux.org hostname. Isn’t that the same server as download.rockylinux.org? Meaning: the ISO, CHECKSUM, and GPG keys are all being downloaded from the very same server? Again, that’s a problem because an attack on that one server could result in all three being replaced at once.
Some might think I’m being overly paranoid, but I don’t think I am. “Supply chain” attacks are a real problem nowadays. Being able to properly verify hashes/signatures of downloaded software is crucial. As things stand now with all files apparently hosted on one server, it seems the hashes/signatures are only useful for detecting corruption during the download, not malicious tampering. Alternate sources for obtaining the checksums and GPG keys are needed, IMO. One option that ought to be very secure: commit them into a GitHub repository.