Bug 19432 - RPM-MD repodata should always be signed with the Mageia key
: RPM-MD repodata should always be signed with the Mageia key
Status: NEW
Product: Infrastructure
Classification: Unclassified
Component: BuildSystem
: unspecified
: All Linux
: High Severity: normal
: Mageia 6
Assigned To: Sysadmin Team
: Neal Gompa
:
:
:
:
:
  Show dependency treegraph
 
Reported: 2016-09-21 14:43 CEST by Neal Gompa
Modified: 2017-03-06 15:49 CET (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Neal Gompa 2016-09-21 14:43:53 CEST
Description of problem:
Currently, we sign our packages, but not the repodata. This means that it is possible (in theory) to hijack the the repodata and alter it to deliver malicious software, or even just modify it so that something that should be there, isn't.

Consumers of RPM-MD repodata, such as DNF, can optionally use the GPG public key to verify the repomd.xml file if a detached signature is present. If the signature is present and the .repo files (or the main dnf.conf) indicates "repo_gpgcheck=1", then DNF will refuse to process the metadata unless the repomd.xml signature check passes.

This provides an additional layer of security beyond checksums in the metadata, and prevents processing the XML data unless it has been verified as trusted. Because there's currently no way to verify the validity of the repomd.xml file (MirrorBrain would checksum this file and only point to mirrors that match), it's even more important to ensure that the data is always correct.

The repodata must be signed with the same key we use to sign our packages, as that is the key set for the Mageia repositories.
Comment 1 Neal Gompa 2016-09-21 14:54:31 CEST
Note, the detached signature for the repomd.xml file would be in a file called "repomd.xml.asc" in the same location as the repomd.xml file itself.
Comment 2 Rémi Verschelde 2016-10-17 12:01:50 CEST
@ Sysadmins: What's the status here? Can we work towards resolving this issue?
Comment 3 Thomas Backlund 2016-11-23 21:35:16 CET
yeah, should not be hard to add signing after generation I think...

me and neoclust will look at this
Comment 4 Neal Gompa 2016-12-12 22:02:38 CET
@Thomas,

Any progress on this?
Comment 5 Samuel Verschelde 2017-01-09 15:23:14 CET
(In reply to Neal Gompa from comment #4)
> @Thomas,
> 
> Any progress on this?

Ping Thomas and Neoclust. This is a release blocker.
Comment 6 Nicolas Lécureuil 2017-01-09 15:47:20 CET
For me this is not a release blocker.
 I don't have time to work on this one.
Comment 7 Samuel Verschelde 2017-03-06 15:46:18 CET
Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but lowering priority because we can't hold the release for this, so it's not really a blocker.

Sorry Neal :)
Comment 8 Neal Gompa 2017-03-06 15:47:00 CET
(In reply to Samuel Verschelde from comment #7)
> Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> lowering priority because we can't hold the release for this, so it's not
> really a blocker.
> 
> Sorry Neal :)

I'm not sure I was the one who made it a blocker in the first place. :)
Comment 9 Samuel Verschelde 2017-03-06 15:49:11 CET
(In reply to Neal Gompa from comment #8)
> (In reply to Samuel Verschelde from comment #7)
> > Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> > lowering priority because we can't hold the release for this, so it's not
> > really a blocker.
> > 
> > Sorry Neal :)
> 
> I'm not sure I was the one who made it a blocker in the first place. :)

Yeah, that was me :)

Note You need to log in before you can comment on or make changes to this bug.