Bug 60611
Summary: | rpm --checksig sometimes not safe | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Bart Martens <bart.martens> |
Component: | rpm | Assignee: | Jeff Johnson <jbj> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 7.2 | Keywords: | Security |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i686 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2002-03-02 12:52:31 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Bart Martens
2002-03-02 12:52:26 UTC
This is neither a bug or a feature, but rather a design choice to return 0 (i.e. success) with missing keys, further info regarding missing keys returned with -v flag specified when first implemented. FWIW, rpm-4.0.4 returns non-zero (i.e. failure) when a key was not found. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Your answer surprises me. During my test I downloaded a random rpm, packaged and signed by some unknown packager. The pgp key of the signature on the rpm was not yet in my gnupg keyring. Then I ran rpm --checksig for the rpm. What happened? The key was automatically retrieved from the keyserver and added to my keyring. At that point, the key was no longer "missing" in my keyring, but was not yet included in my personal web of trust, so should not be trusted yet. Then the key is used for the signature verification on the rpm. The signature is evaluated as valid, but we still don't know anything of the key owner. Then rpm --checksig simply says "gpg OK" without any warning on the missing PGP trust path. The rpm, the key, and the signature on the rpm may come from anyone, including trojan horse builders. This feels to me as a security bug in rpm, because of insecure/wrong use of PGP. I hope that this behaviour is not due to some design choice, and that I've missed some point somewhere... Bart Martens -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.6 (GNU/Linux) Comment: For info see http://www.gnupg.org iD8DBQE8gpBXZ4lamfum7PERAp3YAKCXAJnqAEV1J7utNUz0VpEBvKwenQCaA7y7 BGU8CbWuqTDAQEQTDk60mdU= =Lchd -----END PGP SIGNATURE----- Again, a design choice. rpm -Kvv displays exactly the info returned by pgp/gpg helpers, but NOKEY and UNTRUSTED returns from helpers were not considered verification failures by rpm. |