Bug 1130491 - yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck not enabled)
Summary: yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck ...
Alias: None
Product: Fedora
Classification: Fedora
Component: fedora-release
Version: 22
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
Assignee: Dennis Gilmore
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2014-08-15 11:58 UTC by Joonas
Modified: 2015-10-21 19:43 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2015-10-21 19:43:58 UTC

Attachments (Terms of Use)

Description Joonas 2014-08-15 11:58:08 UTC
Description of problem:
Fedora-release-20-3.noarch does not enable 'repo_gpgcheck' in .repo files by default and leaves users vulnerable to man in the middle attacks [1]
that manipulate repomd.xml to prevent updates from being deployed to the client.

Fedora repos do not provide signed repomd.xml files [2] (repomd.xml.asc).

yum supports signed repomd.xml files since version 3.2.18 [3]. 

[1] https://lwn.net/Articles/327847/
[2] http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/repodata/
[3] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html

Version-Release number of selected component (if applicable):

(I'm not sure which component the repo data itself is a part of.)

How reproducible:

Actual results:
results in Not Found

/etc/yum.repos.d/fedora*.repo files do not contain repo_gpgckeck=1 (defaults to 0).

Expected results:
1. Fedora repos should provide repomd.xml.asc files 
2. Fedora should ship its repo files with repo_gpgcheck=1 by default

Comment 1 Dennis Gilmore 2015-03-25 20:40:48 UTC
we have worked around signing repodata by using metalinks in mirrormanager. you request the metalink via a https url that can be verified, it contains the sha sums of the repomd.xml file which then lets you validate that everything is okay and secure and prevents you from any mitm attacks.

Comment 2 Petr Spacek 2015-09-10 14:10:56 UTC
Apparently the
actually contains some hashes of the metadata but mirrorlink is more like poor man's solution (and actually not a 'solution').

In my eyes the problem is that all the security depends on the fact that Yum
uses TLS to download the mirror list. I.e. it effectively protects only users who did not change the yum configuration to use local mirror directly instead of mirrorlist. This happens a lot in internal networks where you have site-wide mirrors of repos etc.

Can we reconsider this and sign the metadata so all users who just mirror official repos are protected against simple attacks where attacker simply lets older packages in repo?

Thank you.

Comment 3 Till Maas 2015-10-21 19:43:58 UTC
This is tracked in the rel-eng track:

Note You need to log in before you can comment on or make changes to this bug.