Bug 1353036

Summary: rpms in virtio-win repository are not signed
Product: [Community] Virtualization Tools Reporter: Christian Stadelmann <fedora>
Component: virtio-winAssignee: Cole Robinson <crobinso>
Status: CLOSED DEFERRED QA Contact: Virtualization Bugs <virt-bugs>
Severity: urgent Docs Contact:
Priority: unspecified    
Version: unspecifiedCC: bugzilla, crobinso, ghammer, juzhang, virt-maint, vrozenfe, wyu, yvugenfi
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2020-01-19 23:29:47 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Christian Stadelmann 2016-07-05 20:56:36 UTC 
Description of problem:
When downloading the .repo file from https://fedoraproject.org/wiki/Windows_Virtio_Drivers you'll see that it has gpgcheck=0 set. When setting to 1, installing any package from this repo will fail due to missing signatures.
Comment 1 Cole Robinson 2016-07-06 14:13:55 UTC 
This is something on the yum/dnf repo + packaging side, so assigning to myself. No idea if/when I'll get to it though
Comment 2 Christian Stadelmann 2017-05-17 14:50:59 UTC 
This bug has a security impact as it allows simple man-in-the-middle-attacks. Can you please fix it?
Comment 3 Cole Robinson 2019-03-28 23:57:55 UTC 
*** Bug 1381004 has been marked as a duplicate of this bug. ***
Comment 4 Cole Robinson 2020-01-19 23:29:47 UTC 
I moved this to the github tracker: https://github.com/crobinso/virtio-win-pkg-scripts/issues/24

We are working on moving ownership of the RPM builds from me to the virtio-win devs directly, but I think in the medium term I will still maintain the fedorapeople repo. When we sort out the transition I will look into implementing this