Bug 69186
Summary: | Add configurable signature checking policies. | ||||||
---|---|---|---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | Aleksey Nogin <aleksey> | ||||
Component: | rpm | Assignee: | Panu Matilainen <pmatilai> | ||||
Status: | CLOSED UPSTREAM | QA Contact: | |||||
Severity: | medium | Docs Contact: | |||||
Priority: | medium | ||||||
Version: | rawhide | CC: | alikins, nobody+pnasrat, pmatilai, rperkins, tao | ||||
Target Milestone: | --- | Keywords: | FutureFeature, Reopened | ||||
Target Release: | --- | ||||||
Hardware: | i386 | ||||||
OS: | Linux | ||||||
Whiteboard: | OS | ||||||
Fixed In Version: | Doc Type: | Enhancement | |||||
Doc Text: | Story Points: | --- | |||||
Clone Of: | Environment: | ||||||
Last Closed: | 2009-01-30 08:48:29 UTC | Type: | --- | ||||
Regression: | --- | Mount Type: | --- | ||||
Documentation: | --- | CRM: | |||||
Verified Versions: | Category: | --- | |||||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |||||
Cloudforms Team: | --- | Target Upstream Version: | |||||
Embargoed: | |||||||
Attachments: |
|
Description
Aleksey Nogin
2002-07-18 18:17:40 UTC
rpm-4.1-0.53 now has more mechanism (not policy, yet) to configure checking headers retrieved when 1st encountered. Created attachment 66845 [details]
hdrchk configuration and simple benchmark
OK, the hdrchk mechanism has been simplified/generalized so that headers are signature checked on all import pathways, and on database export pathways, all per-mode configurable. Wiring the policy of what ignore/warn/error/require action to take with OK/UNTRUSTED/NOKEY/BAD events is gonna take a bit more time to implement, particularly since rpm has not a clue ATM about UNTRUSTED. The other major problem is drilling the policy up through applications (very few ATM) that use rpm-4.1. That's gonna take some time and patience and porting as well. Deferred until rpm-4.2. > Deferred until rpm-4.2.
Rawhide has 4.2-0.5 now, reopening.
Moving to the Enterprise version. --signature is not the reverse of --nosignature, as it implies mandatory failure on certain conditions; rpm default behavior already verifies signatures as present. The option, if attempted, also needs to be peristently configurable. My original thoughts were to set up bit masks for each of the failure modes for each of the modes of rpm for each of the 4 signatures/digests so that the user could, say, permit query with a warning, but prevent install independently. Most of this mechanism is already implemented, what remains is to design the error return path ways for FAILNOW, exit(1) within rpmlib is not good enough, nor is a secret side effect like skipping a package. That is basically my comment cited above disable/enable/warn/error/anal where the "error/anal" behaviors are not yet implemented. The inertia to change comes from the plethora of applications that are using rpm, where each and every application is attempting a different form of key ring management, and hence has a different meaning for TRUSTED. rpmlib does exit(1) only for OOM, been that way for long time now. OTOH, immediate exit is essentially what the "anal" level is about, where an instant and immediate full stop may be appropriate. "error" returns an error code from rpmlib. The rate limiting steps are that the rpmlib API is not adequate to return well-defined error codes on well-known pathways. The other impediment is that new error returns must be taught to all applications that use rpmlib. This feature is not far enough along for U4. Because the deadline is today, moving to RHEL3 U5 as a candidate. Closing because of lack of customer/partner demand. Reopening and moving to Fedora at request of originator. REOPENED status has been deprecated. ASSIGNED with keyword of Reopened is preferred. User pnasrat's account has been closed Reassigning to owner after bugzilla made a mess, sorry about the noise... Fixing summary to something more sensible.. Moved to upstream tracking: http://rpm.org/ticket/29 |