Ensure DNF metadata is signed #14954
Comments
|
If Rocky winds up using the same signing infrastructure code that Fedora does, this could help get Fedora to sign their metadata, too. |
|
Do you have any links to docs on this, for reference? |
|
QubesOS/qubes-linux-yum@e981175 implemented metadata signing in QubesOS. The metadata signature is just a standard detached GPG signature on the metadata XML. |
|
dnf supports repos with gpg signed metadata with the With that said, things like pulp (which satellite or upstream foreman use) support gpg_sign_metadata with patches or other manual work, which basically does this. And this will be something we will consider down the road when we get to a point when we're ready to start populating our repositories (considering we'll actually need to have our own scripted way of handling repos anyway after koji does its work). Thank you for submitting this - We'll have this on our radar. |
|
I'd imagine solving kms is what's stopping them... As is our challenge. |
Does “kms” mean “key management system”? If so, my suggestion would be to sign the metadata the same way packages are signed. It is generated from signed inputs, after all. |
|
What he's referring to is a key management system like HashiCorp Vault, like where the keys are going to be stored/pulled from on top of automation of such. Signing packages and repo metadata is a straight forward process using |
|
Ah okay. What I meant is that signing packages and repo metadata can/should be done using the same system. |
|
To give some clarity, I know why a lot of distros don't sign their repos. First of all, if all packages in the repo are signed then signing the repo doesn't add any extra security. All that signing the meta data does is show that the meta data is correct, it doesn't effect whether or not the packages are correctly signed. Another issue is what happens when the repo is signed by a key that isn't in the user's keyring yet? They can't download the repo meta data because their keyring package has not been updated yet, and they can't update the keyring package because they can't download the repo meta data. The user ends up unable to update unless they disable signature checks. The only time I usually see repos being signed in distros is when everything is either packaged by 1 person or by an automated system like jenkins. Then the 1 person or the system does all the signing instead of the maintainers. I don't usually see signed repos much on community based distros that have many maintainers. |
Yes and no. See the recent RPM vulnerabilities for cases where metadata signing would have helped. Also, signing the metadata helps prevent indefinite freeze attacks and inconsistent metadata.
Keyring packages are rarely updated. Usually, they are only updated during a major distribution upgrade.
See Debian-based distros for a counterexample. |
|
Until dnf repodata supports That's a main reason why a lot of distributions do not bother signing their repo metadata. Fedora is a good example of this. |
|
The main purpose of repo metadata signing is attack surface reduction. See: RCE possible in the first two cases. |
This helps mitigate DNF bugs.
The text was updated successfully, but these errors were encountered: