>On 8/12/19 4:59 PM, Dmitry Mikhirev wrote: >> Hello! >> >> I have a question about security of installed package metadata. The >> idea is to use rpm -V for security audit, and I need to understand, >> if file checksums in the rpm database can be trusted. I don't know, >> what exact metadata is signed inside the package, and is this >> signature stored after package installation. If the database keeps >> only unsigned checksums, they can be altered, and rpm -V cannot be >> considered suitable for our purposes. > >The digests and signatures in rpm are all on the build-time metadata >of the main header, which obviously includes file digests (aka >hashes), so yes they are signed if the package is signed. > >What is not signed packages is the data that is added runtime: >INSTALLTID, INSTALLTIME and INSTALLCOLOR, and the contents of the >signature header. > >Note however that it's technically possible to effectively remove a >signature from an installed package without rpm noticing, after which >the hashes could be changed. While rpm -V verifies existing signatures >but there's there's currently no way to it *require* signatures so >you'd need to somehow verify all the packages are signed separately >(rpm -qavv does emit the digest and signature check results but it's >clumsy at best). So possible, but not exactly as convenient as it >should be. > Thank you for your reply! You answered not only the question I asked, but also the question I was going to ask (about rpm -V behavior). -- Regards, Dmitry Mikhirev
Attachment:
pgpuT0_64NPLV.pgp
Description: Цифровая подпись OpenPGP
_______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
