Note: This is a public test instance of Red Hat Bugzilla. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback at bugzilla.redhat.com.
Bug 2182032
Summary: | rpm is less strict about signature verification when signing certificate is not preinstalled | ||
---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Zbigniew Jędrzejewski-Szmek <zbyszek> |
Component: | rpm | Assignee: | Michal Domonkos <mdomonko> |
Status: | CLOSED MIGRATED | QA Contact: | Fedora Extras Quality Assurance <extras-qa> |
Severity: | unspecified | Docs Contact: | |
Priority: | unspecified | ||
Version: | 38 | CC: | kparal, mdomonko, mrehak, pmatilai, zbyszek, zjedrzej |
Target Milestone: | --- | Keywords: | Security, Triaged |
Target Release: | --- | ||
Hardware: | Unspecified | ||
OS: | Unspecified | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2023-11-29 12:56:15 UTC | Type: | Bug |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Zbigniew Jędrzejewski-Szmek
2023-03-27 11:01:02 UTC
Oh, this can be made even simpler: # rpm -q anydesk anydesk-6.1.1-1.el7.x86_64 # curl -O 'https://keys.anydesk.com/repos/RPM-GPG-KEY' # sha1sum RPM-GPG-KEY 679867bb8d96dfdf5b972f92adf3636a40277dd2 RPM-GPG-KEY # rpm --import ./RPM-GPG-KEY rpm -q anydesk error: rpmdbNextIterator: skipping h# 224 Header V3 RSA/SHA1 Signature, key ID cdffde29: BAD Header SHA1 digest: OK package anydesk is not installed # rpm -e gpg-pubkey-cdffde29 # rpm -q anydesk anydesk-6.1.1-1.el7.x86_64 Hmm, I assumed that Panu and other maintainers have access to this bug because packaging-team-maint is the Assignee. The access story is a bit hysterical, we can see the notification emails from such bugs but not the bug itself. Anyway, this (also hysterical) behavior is as old as rpm itself. No sensical signature behavior is possible as long as unsigned packages are considered acceptable, so the only way to get a sane behavior out of this all is to make signatures mandatory with "%_pkgverify_level signature" (or "all"). That of course breaks all the workflows with local builds expected to be installable without signing. It's something Fedora could of could experiment with of course. I suspect there would be wide breakage starting with mock/koji, requiring overrides to that config. Thanks. This explains how we got into this situation, but I have to say the end result doesn't "feel" right. Essentially, I would really expect that if I call 'dnf install https://some.url/something.rpm', the signature is verified correctly or I get asked. This expectation is also built on expected consistency: I get asked every half year if I want to accept new keys for F<n+1>, and rpm does various checks of signatures, etc, and periodically things that Fedora distributes do not pass this verification. This all builds expectation that stuff is being checked. If then other operation which is _much_ more risky performs no checking *whatsoever*, no warnings are emitted, no questions asked, this seems backwards. Yes, it's totally backwards and broken of course. It seems that any solution would require bigger changes and possibly some reduction in user convenience. I think it'd be worth discussing this more widely. Anyone opposed to dropping the "security" label and making this public? Feel free to drop the security label, this isn't your average security bug, just weird but expected semantics. I think it'd be awesome if Fedora wanted to explore making signatures mandatory by default on rpm level (supported since 4.14.2, see comment #3), it's just something I'm not eager to push by myself. People tend to have their annual quota of rpm changes full as it is :D Can somebody unembargo this? There is no embargo but it prevents the bug from being made public. Please unembargo this to make it public. |