Bug 1343690

Summary: [RFE] gpgcheck performed by yum does not actually validate rpm contents against GPG signature
Product: Red Hat Enterprise Linux 7 Reporter: Valentina Mukhamedzhanova <vmukhame>
Component: yumAssignee: Michal Domonkos <mdomonko>
Status: CLOSED ERRATA QA Contact: Jan Blazek <jblazek>
Severity: urgent Docs Contact: Marie Dolezelova <mdolezel>
Priority: unspecified    
Version: 7.4CC: alex, carl, james.antill, jblazek, klaas, ksrot, mdomonko, mjahoda, ovasik, pasik, qe-baseos-security, walters
Target Milestone: rcKeywords: FutureFeature, Patch
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: yum-3.4.3-154.el7 Doc Type: Enhancement
Doc Text:
New `payload_gpgcheck` option added to *yum* With this update, the new configuration option `payload_gpgcheck` has been added to the *yum* utility. This option enables a GNU Privacy Guard (GPG) signature check on the payload sections of packages, thus enhancing the security and integrity when installing packages. Previously, when `gpgcheck` option was enabled, *yum* only performed a GPG signature check on headers. Consequently, if the payload data were tampered with or corrupted, RPM unpacking error occurred, and the package was left in a partly installed state. This might have put the operating system into an inconsistent and vulnerable state. You can use the new `payload_gpgcheck` option in conjunction with the `gpgcheck` or `localpkg_gpgcheck` options to prevent this problem. As a result, when `payload_gpgcheck` is enabled, *yum* performs a GPG signature check on the payload and aborts the transaction if it is not verified. Using `payload_gpgcheck` is equivalent to manually running "rpm -K" on downloaded packages.
Story Points: ---
Clone Of: 1287883
: 1343692 1578345 (view as bug list) Environment:
Last Closed: 2017-08-01 09:07:52 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1343692    
Bug Blocks: 1380360, 1393866    
Attachments:
Description Flags
pkgsplit.tar.gz none

Comment 6 Michal Domonkos 2017-03-23 13:16:28 UTC
Created attachment 1265740 [details]
pkgsplit.tar.gz

Scripts to alter the payload of a signed package so that it no longer verifies (for testing purposes).

Comment 18 errata-xmlrpc 2017-08-01 09:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2295