Bug 19432 - RPM-MD repodata should always be signed with the Mageia key
Summary: RPM-MD repodata should always be signed with the Mageia key
Status: NEW
Alias: None
Product: Infrastructure
Classification: Unclassified
Component: BuildSystem (show other bugs)
Version: unspecified
Hardware: All Linux
Priority: High normal
Target Milestone: Mageia 7
Assignee: Sysadmin Team
QA Contact: Neal Gompa
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2016-09-21 14:43 CEST by Neal Gompa
Modified: 2017-08-06 08:18 CEST (History)
3 users (show)

See Also:
Source RPM:
CVE:
Status comment:


Attachments

Description Neal Gompa 2016-09-21 14:43:53 CEST
Description of problem:
Currently, we sign our packages, but not the repodata. This means that it is possible (in theory) to hijack the the repodata and alter it to deliver malicious software, or even just modify it so that something that should be there, isn't.

Consumers of RPM-MD repodata, such as DNF, can optionally use the GPG public key to verify the repomd.xml file if a detached signature is present. If the signature is present and the .repo files (or the main dnf.conf) indicates "repo_gpgcheck=1", then DNF will refuse to process the metadata unless the repomd.xml signature check passes.

This provides an additional layer of security beyond checksums in the metadata, and prevents processing the XML data unless it has been verified as trusted. Because there's currently no way to verify the validity of the repomd.xml file (MirrorBrain would checksum this file and only point to mirrors that match), it's even more important to ensure that the data is always correct.

The repodata must be signed with the same key we use to sign our packages, as that is the key set for the Mageia repositories.
Neal Gompa 2016-09-21 14:44:39 CEST

Blocks: (none) => 15527

Samuel Verschelde 2016-09-21 14:51:32 CEST

Priority: Normal => release_blocker

Neal Gompa 2016-09-21 14:53:18 CEST

See Also: (none) => https://bugs.mageia.org/show_bug.cgi?id=17400

Comment 1 Neal Gompa 2016-09-21 14:54:31 CEST
Note, the detached signature for the repomd.xml file would be in a file called "repomd.xml.asc" in the same location as the repomd.xml file itself.
Comment 2 Rémi Verschelde 2016-10-17 12:01:50 CEST
@ Sysadmins: What's the status here? Can we work towards resolving this issue?

Target Milestone: --- => Mageia 6

Samuel Verschelde 2016-11-08 12:02:43 CET

QA Contact: (none) => ngompa13

Comment 3 Thomas Backlund 2016-11-23 21:35:16 CET
yeah, should not be hard to add signing after generation I think...

me and neoclust will look at this

CC: (none) => tmb

Comment 4 Neal Gompa 2016-12-12 22:02:38 CET
@Thomas,

Any progress on this?
Comment 5 Samuel Verschelde 2017-01-09 15:23:14 CET
(In reply to Neal Gompa from comment #4)
> @Thomas,
> 
> Any progress on this?

Ping Thomas and Neoclust. This is a release blocker.
Comment 6 Nicolas Lécureuil 2017-01-09 15:47:20 CET
For me this is not a release blocker.
 I don't have time to work on this one.

CC: (none) => mageia

Samuel Verschelde 2017-01-17 10:29:39 CET

Blocks: 15527 => (none)

Comment 7 Samuel Verschelde 2017-03-06 15:46:18 CET
Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but lowering priority because we can't hold the release for this, so it's not really a blocker.

Sorry Neal :)

Priority: release_blocker => High

Comment 8 Neal Gompa 2017-03-06 15:47:00 CET
(In reply to Samuel Verschelde from comment #7)
> Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> lowering priority because we can't hold the release for this, so it's not
> really a blocker.
> 
> Sorry Neal :)

I'm not sure I was the one who made it a blocker in the first place. :)
Comment 9 Samuel Verschelde 2017-03-06 15:49:11 CET
(In reply to Neal Gompa from comment #8)
> (In reply to Samuel Verschelde from comment #7)
> > Still targeted at Mageia 6 if we can't find a sysadmin to work on it, but
> > lowering priority because we can't hold the release for this, so it's not
> > really a blocker.
> > 
> > Sorry Neal :)
> 
> I'm not sure I was the one who made it a blocker in the first place. :)

Yeah, that was me :)
Neal Gompa 2017-08-06 08:18:41 CEST

Target Milestone: Mageia 6 => Mageia 7


Note You need to log in before you can comment on or make changes to this bug.