Bug 1130491

Summary: yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck not enabled)
Product: [Fedora] Fedora Reporter: Joonas <joonas.lehtonen>
Component: fedora-releaseAssignee: Dennis Gilmore <dennis>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 22CC: dennis, fedora, jdisnard, opensource, pspacek
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-10-21 19:43:58 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Joonas 2014-08-15 11:58:08 UTC 
Description of problem:
Fedora-release-20-3.noarch does not enable 'repo_gpgcheck' in .repo files by default and leaves users vulnerable to man in the middle attacks [1]
that manipulate repomd.xml to prevent updates from being deployed to the client.

Fedora repos do not provide signed repomd.xml files [2] (repomd.xml.asc).

yum supports signed repomd.xml files since version 3.2.18 [3]. 

[1] https://lwn.net/Articles/327847/
[2] http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/repodata/
[3] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html

Version-Release number of selected component (if applicable):
Fedora-release-20-3.noarch

(I'm not sure which component the repo data itself is a part of.)

How reproducible:
always

Actual results:
http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/repodata/repomd.xml.asc
results in Not Found

/etc/yum.repos.d/fedora*.repo files do not contain repo_gpgckeck=1 (defaults to 0).

Expected results:
1. Fedora repos should provide repomd.xml.asc files 
2. Fedora should ship its repo files with repo_gpgcheck=1 by default
Comment 1 Dennis Gilmore 2015-03-25 20:40:48 UTC 
we have worked around signing repodata by using metalinks in mirrormanager. you request the metalink via a https url that can be verified, it contains the sha sums of the repomd.xml file which then lets you validate that everything is okay and secure and prevents you from any mitm attacks.
Comment 2 Petr Spacek 2015-09-10 14:10:56 UTC 
Apparently the
https://mirrors.fedoraproject.org/metalink?repo=fedora-22&arch=x86_64
actually contains some hashes of the metadata but mirrorlink is more like poor man's solution (and actually not a 'solution').

In my eyes the problem is that all the security depends on the fact that Yum
uses TLS to download the mirror list. I.e. it effectively protects only users who did not change the yum configuration to use local mirror directly instead of mirrorlist. This happens a lot in internal networks where you have site-wide mirrors of repos etc.

Can we reconsider this and sign the metadata so all users who just mirror official repos are protected against simple attacks where attacker simply lets older packages in repo?

Thank you.
Comment 3 Till Maas 2015-10-21 19:43:58 UTC 
This is tracked in the rel-eng track:
https://fedorahosted.org/rel-eng/ticket/1501