On Mon, Nov 2, 2020 at 7:24 PM Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > Hello all, > > Are there any plans to have Fedora repository metadata signed? I think > dnf supports it for a long time already. I know the packages themselves > are already signed, but metadata do carry some extra information that > potentially could be manipulated - for example to _selectively_ hide > some updates, or to exploit metadata-parsing code (like in [1]). > > By default Fedora authenticates metadata using metalink downloaded over > HTTPS from a Fedora-controlled infrastructure. But still an attack is > possible with some rather extreme preconditions - namely to obtain a > mis-issued certificate for mirrors.fedoraproject.org and MitM the > connection. But also, if anyone set a specific mirror (examples to > uncomment are over plain http, BTW) or use a 3rd-party repository that > doesn't use metalinks, it is far easier to mount an attack on repository > metadata. > > Additionally, signed metadata could reduce damage in case of > metalink-hosting server compromise. > > I don't know much about Fedora infrastructure, but perhaps there is > still something I could help with? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 > Repositories that don't use metalinks (and thus don't have cryptographically strong secure checksums to validate the content before processing) are encouraged to GPG sign metadata, and prior to us migrating the openh264 repo to metalinks, we signed the repository metadata there too. I believe it's still signed, we just don't verify it by default anymore. The major remaining issue for us to start enabling repository GPG checks is that DNF doesn't use the RPM GPG keyring for repository metadata GPG signature validation, which can cause issues with our compose pipeline. I believe this is something we'll fix with DNF version 5, as the whole GPG check code is being massively reworked for that. -- 真実はいつも一つ!/ Always, there's only one truth! _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
