Bug 1879791

Summary: "dnf download" should honor gpgcheck option
Product: [Fedora] Fedora Reporter: Matt McCutchen <matt>
Component: dnf-plugins-coreAssignee: rpm-software-management
Status: CLOSED EOL QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 32CC: dmach, dridi.boukelmoune, jmracek, mblaha, packaging-team-maint, pkratoch, praiskup, rpm-software-management, vmukhame
Target Milestone: ---Keywords: FutureFeature, Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-05-25 16:45:08 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Matt McCutchen 2020-09-17 02:52:15 UTC 
Description of problem:
"dnf download" does not check GPG signatures of the packages it downloads even if the gpgcheck option for the relevant repository is enabled.  This is a needless security gotcha for users.  Fortunately, many popular repositories (including the main Fedora ones) integrity-protect the metadata with SSL and "dnf download" does check the package digests against the metadata, significantly mitigating the risk.

I suspect signature verification has some limitations that I could follow up on separately if I cared enough (e.g., I don't know if dnf checks that the package is the one it wanted rather than just any properly signed package, and some callers of "dnf download" may intend to extract the payload with rpm2cpio, which I don't think a header-only signature protects), but doing signature verification with these limitations would be a lesser violation of user expectations than not doing it at all.

Version-Release number of selected component (if applicable):
dnf-plugins-core-4.0.16-1.fc32.src.rpm

How reproducible:
Always

Steps to Reproduce:
1. Create a local repository with "gpgcheck=1" containing an unsigned RPM.
2. Try to "dnf download" that RPM.
3. Append some garbage data to the RPM in the repository without updating the metadata.
4. Try to "dnf download" the RPM again.

Actual results:
2. Successful download.
4. "Package ... has incorrect checksum" and the package is not saved to the working directory.  (Correct behavior.)

Expected results:
2. An error about the lack of a signature.

Additional info:
The only previous mention of this I see on the web is bug 1689645 comment 12, but the issue didn't seem to be followed up there.

If I had more patience, I would test upstream dnf and file the bug there if appropriate, but I don't; sorry.
Comment 1 Fedora Program Management 2021-04-29 16:37:57 UTC 
This message is a reminder that Fedora 32 is nearing its end of life.
Fedora will stop maintaining and issuing updates for Fedora 32 on 2021-05-25.
It is Fedora's policy to close all bug reports from releases that are no longer
maintained. At that time this bug will be closed as EOL if it remains open with a
Fedora 'version' of '32'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version.

Thank you for reporting this issue and we are sorry that we were not 
able to fix it before Fedora 32 is end of life. If you would still like 
to see this bug fixed and are able to reproduce it against a later version 
of Fedora, you are encouraged  change the 'version' to a later Fedora 
version prior this bug is closed as described in the policy above.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events. Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.
Comment 2 Ben Cotton 2021-05-25 16:45:08 UTC 
Fedora 32 changed to end-of-life (EOL) status on 2021-05-25. Fedora 32 is
no longer maintained, which means that it will not receive any further
security or bug fix updates. As a result we are closing this bug.

If you can reproduce this bug against a currently maintained version of
Fedora please feel free to reopen this bug against that version. If you
are unable to reopen this bug, please file a new report against the
current release. If you experience problems, please add a comment to this
bug.

Thank you for reporting this bug and we are sorry it could not be fixed.