New `payload_gpgcheck` option added to *yum*
With this update, the new configuration option `payload_gpgcheck` has been added to the *yum* utility. This option enables a GNU Privacy Guard (GPG) signature check on the payload sections of packages, thus enhancing the security and integrity when installing packages. Previously, when `gpgcheck` option was enabled, *yum* only performed a GPG signature check on headers. Consequently, if the payload data were tampered with or corrupted, RPM unpacking error occurred, and the package was left in a partly installed state. This might have put the operating system into an inconsistent and vulnerable state.
You can use the new `payload_gpgcheck` option in conjunction with the `gpgcheck` or `localpkg_gpgcheck` options to prevent this problem. As a result, when `payload_gpgcheck` is enabled, *yum* performs a GPG signature check on the payload and aborts the transaction if it is not verified. Using `payload_gpgcheck` is equivalent to manually running "rpm -K" on downloaded packages.
Created attachment 1265740[details]
pkgsplit.tar.gz
Scripts to alter the payload of a signed package so that it no longer verifies (for testing purposes).
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2017:2295
Created attachment 1265740 [details] pkgsplit.tar.gz Scripts to alter the payload of a signed package so that it no longer verifies (for testing purposes).