Description of problem:
Currently, we sign our packages, but not the repodata. This means that it is possible (in theory) to hijack the the repodata and alter it to deliver malicious software, or even just modify it so that something that should be there, isn't.
Consumers of RPM-MD repodata, such as DNF, can optionally use the GPG public key to verify the repomd.xml file if a detached signature is present. If the signature is present and the .repo files (or the main dnf.conf) indicates "repo_gpgcheck=1", then DNF will refuse to process the metadata unless the repomd.xml signature check passes.
This provides an additional layer of security beyond checksums in the metadata, and prevents processing the XML data unless it has been verified as trusted. Because there's currently no way to verify the validity of the repomd.xml file (MirrorBrain would checksum this file and only point to mirrors that match), it's even more important to ensure that the data is always correct.
The repodata must be signed with the same key we use to sign our packages, as that is the key set for the Mageia repositories.
Note, the detached signature for the repomd.xml file would be in a file called "repomd.xml.asc" in the same location as the repomd.xml file itself.
@ Sysadmins: What's the status here? Can we work towards resolving this issue?
yeah, should not be hard to add signing after generation I think...
me and neoclust will look at this
Any progress on this?
(In reply to Neal Gompa from comment #4)
> Any progress on this?
Ping Thomas and Neoclust. This is a release blocker.
For me this is not a release blocker.
I don't have time to work on this one.
Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but lowering priority because we can't hold the release for this, so it's not really a blocker.
Sorry Neal :)
(In reply to Samuel Verschelde from comment #7)
> Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> lowering priority because we can't hold the release for this, so it's not
> really a blocker.
> Sorry Neal :)
I'm not sure I was the one who made it a blocker in the first place. :)
(In reply to Neal Gompa from comment #8)
> (In reply to Samuel Verschelde from comment #7)
> > Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> > lowering priority because we can't hold the release for this, so it's not
> > really a blocker.
> > Sorry Neal :)
> I'm not sure I was the one who made it a blocker in the first place. :)
Yeah, that was me :)
Mageia 6 =>
This is High priority bug for a good reason.
Making Mageia even better than ever is best direction.
In order to do right thing, this bug should be examined and fixed as soon as possible.
Packagers, please make the status to Assigned when you are working on this.
Feel free to reassign the bug if bad-triaged. Also, if bug is old, please close it.
On October 1st 2020, we will drop priority to normal.