Re: DNF5: Checking signatures of packages installed out of a repository?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 





Am Di., 31. Okt. 2023 um 19:31 Uhr schrieb Christopher <ctubbsii@xxxxxxxxxxxxxxxxx>:
On Tue, Oct 31, 2023 at 1:38 PM Vít Ondruch <vondruch@xxxxxxxxxx> wrote:
>
>
> Dne 31. 10. 23 v 16:23 Petr Pisar napsal(a):
> > Hello,
> >
> > DNF5 got a complaint
> > <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf update
> > https://..." skips verifying package signatures:
> >
> >      $ sudo dnf update https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm
> >      [...]
> >      Warning: skipped PGP checks for 2 package(s).
> >
> > A DNF5 developer confirmed that old DNF4 does not verify signatures too.
> > The verification happens only for packages comming from a repository. Why DNF5
> > looks bad is because it actually prints the warning and thus keeps the user
> > better informed.
> >
> > The nonchecking behavior probably exists to make installing local packages
> > easy. If DNF5 would insist on checking the signatures, Fedora users would have
> > to pass --no-gpgchecks option to their "dnf5" commands to override the new
> > default, or start signing their packages. As always security is not easy.
> >
> > Because this an old behavior and some users probably depend on it, enabling
> > the verification for all cases looks like an abrupt change.
> >
> > I would would like to hear your opinion: Should DNF5 start verifying all
> > packages? Should DNF5 keep ignoring signatures for out-of-repository packages?
> > Or should rather narrow the verification skip to packages from a local file
> > system? Any other options?
>
>
> Or maybe verify what it can and report the packages which can't be
> verified? You can notice that I was actually installing singed packages.
>
> But I would (probably) not mind to explicitly specify `--no-gpgcheck`. I
> still would swear this used to be needed, that is why I try to install
> the signed packages.

I could have sworn the same thing. I think that it should be an error
if any package (it doesn't matter if it is local or not) cannot be
verified, unless `--nogpgcheck` is specified. This seems like the only
secure-by-default option. No RPM should be allowed to be installed if
it can't be verified, unless the user explicitly allows it. If less
secure options are provided (such as only providing a warning message
or skipping verification of local RPMs), then an option must be
provided to force the secure-behavior to prevent the installation of
any RPMs that haven't been verified (something like
`--requiregpgcheck`). But my strong preference is that it require GPG
checks by default. That is the behavior that is implied by the
existence of the `--nogpgcheck` flag and the non-existence of any
other related flags.

Note that there are few differences between local and repo files here:
- A repo comes with a key specification, i.e. an expected signer; a local package does not. What signature do you expect? What is the value of "any" signature?
- A package installed via a repo comes "from the internet" without your control over the exact download location; a local package has been downloaded or built specifically by you, with you in control.
Therefore, it does make sense that one has its signature checked and the other hasn't.

Michael 
_______________________________________________
devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Fedora Announce]     [Fedora Users]     [Fedora Kernel]     [Fedora Testing]     [Fedora Formulas]     [Fedora PHP Devel]     [Kernel Development]     [Fedora Legacy]     [Fedora Maintainers]     [Fedora Desktop]     [PAM]     [Red Hat Development]     [Gimp]     [Yosemite News]

  Powered by Linux