It would require https://bugzilla.redhat.com/show_bug.cgi?id=1768206 to be fixed. Right now the design in dnf for supporting gpg keys is quite user hostile, especially in automated unattended use cases. Dennis On Mon, Nov 2, 2020 at 6:25 PM Marek Marczykowski-Górecki <marmarek@xxxxxxxxxxxxxxxxxxxxxx> wrote: > > Hello all, > > Are there any plans to have Fedora repository metadata signed? I think > dnf supports it for a long time already. I know the packages themselves > are already signed, but metadata do carry some extra information that > potentially could be manipulated - for example to _selectively_ hide > some updates, or to exploit metadata-parsing code (like in [1]). > > By default Fedora authenticates metadata using metalink downloaded over > HTTPS from a Fedora-controlled infrastructure. But still an attack is > possible with some rather extreme preconditions - namely to obtain a > mis-issued certificate for mirrors.fedoraproject.org and MitM the > connection. But also, if anyone set a specific mirror (examples to > uncomment are over plain http, BTW) or use a 3rd-party repository that > doesn't use metalinks, it is far easier to mount an attack on repository > metadata. > > Additionally, signed metadata could reduce damage in case of > metalink-hosting server compromise. > > I don't know much about Fedora infrastructure, but perhaps there is > still something I could help with? > > [1] https://bugzilla.redhat.com/show_bug.cgi?id=1868639 > > -- > Best Regards, > Marek Marczykowski-Górecki > Invisible Things Lab > A: Because it messes up the order in which people normally read text. > Q: Why is top-posting such a bad thing? > _______________________________________________ > devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx > To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx > Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
