Re: Is package metadata stored in DB signed or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 8/12/19 4:59 PM, Dmitry Mikhirev wrote:

I have a question about security of installed package metadata. The
idea is to use rpm -V for security audit, and I need to understand, if
file checksums in the rpm database can be trusted. I don't know, what
exact metadata is signed inside the package, and is this signature
stored after package installation. If the database keeps only unsigned
checksums, they can be altered, and rpm -V cannot be considered
suitable for our purposes.

The digests and signatures in rpm are all on the build-time metadata of the main header, which obviously includes file digests (aka hashes), so yes they are signed if the package is signed.

What is not signed packages is the data that is added runtime: INSTALLTID, INSTALLTIME and INSTALLCOLOR, and the contents of the signature header.

Note however that it's technically possible to effectively remove a signature from an installed package without rpm noticing, after which the hashes could be changed. While rpm -V verifies existing signatures but there's there's currently no way to it *require* signatures so you'd need to somehow verify all the packages are signed separately (rpm -qavv does emit the digest and signature check results but it's clumsy at best). So possible, but not exactly as convenient as it should be.

	- Panu -
Rpm-list mailing list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux