Bug 1967454

Summary: Backport improvements of dnf signature checking using rpmkeys
Product: Red Hat Enterprise Linux 8 Reporter: amatej
Component: dnfAssignee: Packaging Maintenance Team <packaging-team-maint>
Status: CLOSED ERRATA QA Contact: Jan Blazek <jblazek>
Severity: unspecified Docs Contact:
Priority: high    
Version: 8.5CC: james.antill, jblazek, pkratoch, pmatilai
Target Milestone: betaKeywords: Triaged
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: dnf-4.7.0-3.el8 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-09 19:53:20 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1969483    

Description amatej 2021-06-03 08:02:26 UTC 
Required PR: https://github.com/rpm-software-management/dnf/pull/1753

Tests PRs: https://github.com/rpm-software-management/ci-dnf-stack/pull/1001 and https://github.com/rpm-software-management/ci-dnf-stack/pull/983

Improvements:
 - increases security of dnf signature checking
 - fixes a traceback when distro-sync encounters packages with broken signatures
 - fixes a traceback when rpmkeys binary is not found
Comment 1 Panu Matilainen 2021-06-03 08:13:40 UTC 
Danger, Will Robinson. Using "%_pkgverify_level all" is conceptually wrong as it will check digests too and this is about checking signatures. In particular, this will break legacy package installation in FIPS mode due to MD5 digest being unverifiable (see https://access.redhat.com/solutions/5221661)
Comment 2 amatej 2021-06-03 09:38:35 UTC 
ah yes, then we should also backport: https://github.com/rpm-software-management/dnf/pull/1775 which sets _pkgverify_level to signature.
Comment 3 amatej 2021-07-12 12:35:52 UTC 
*** Bug 1976762 has been marked as a duplicate of this bug. ***
Comment 10 errata-xmlrpc 2021-11-09 19:53:20 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: dnf security and bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:4464