Hi Is it possible to create digitally signed repository with yum-arch or createrepo. I know that most of the RPMS are signed, so forged RPMS are not problem. What I am concerned about is RPM dependencies. If rpm headers and dependency lists are not signed and attacker could gain access to the repodata, would it be possible to fake dependencies? Or does yum check dependencies based on the real RPMS? Is the following scenario possible with yum-arch or createrepo and yum: - User updates his/hers system automatically from cron (yum -y update) - Yum does gpgcheck - System does not have openssh-server installed - Attacker gains access to the yum repository or hijacs the connection to the yum repository - New official update is released, let's say kde-3.4 - Attacker forges kde-3.4 header to have dependency to openssh-server - Yum installs openssh-server when kde-3.4 is updated Regards Kimmo Koivisto
