On 8/12/19 4:59 PM, Dmitry Mikhirev wrote:
Hello! I have a question about security of installed package metadata. The idea is to use rpm -V for security audit, and I need to understand, if file checksums in the rpm database can be trusted. I don't know, what exact metadata is signed inside the package, and is this signature stored after package installation. If the database keeps only unsigned checksums, they can be altered, and rpm -V cannot be considered suitable for our purposes.
The digests and signatures in rpm are all on the build-time metadata of the main header, which obviously includes file digests (aka hashes), so yes they are signed if the package is signed.
What is not signed packages is the data that is added runtime: INSTALLTID, INSTALLTIME and INSTALLCOLOR, and the contents of the signature header.
Note however that it's technically possible to effectively remove a signature from an installed package without rpm noticing, after which the hashes could be changed. While rpm -V verifies existing signatures but there's there's currently no way to it *require* signatures so you'd need to somehow verify all the packages are signed separately (rpm -qavv does emit the digest and signature check results but it's clumsy at best). So possible, but not exactly as convenient as it should be.
- Panu - _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list