1130491 – yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck not enabled)

Bug 1130491 - yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck not enabled)

Summary: yum repo metadata is not verified (repomd.xml.asc not present, repo_gpgcheck ...

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	fedora-release
Sub Component:
Version:	22
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Dennis Gilmore
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2014-08-15 11:58 UTC by Joonas
Modified:	2015-10-21 19:43 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2015-10-21 19:43:58 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Joonas 2014-08-15 11:58:08 UTC

Description of problem:
Fedora-release-20-3.noarch does not enable 'repo_gpgcheck' in .repo files by default and leaves users vulnerable to man in the middle attacks [1]
that manipulate repomd.xml to prevent updates from being deployed to the client.

Fedora repos do not provide signed repomd.xml files [2] (repomd.xml.asc).

yum supports signed repomd.xml files since version 3.2.18 [3]. 

[1] https://lwn.net/Articles/327847/
[2] http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/repodata/
[3] http://lists.baseurl.org/pipermail/yum-devel/2008-August/005350.html

Version-Release number of selected component (if applicable):
Fedora-release-20-3.noarch

(I'm not sure which component the repo data itself is a part of.)

How reproducible:
always

Actual results:
http://download.fedoraproject.org/pub/fedora/linux/releases/20/Everything/x86_64/os/repodata/repomd.xml.asc
results in Not Found

/etc/yum.repos.d/fedora*.repo files do not contain repo_gpgckeck=1 (defaults to 0).

Expected results:
1. Fedora repos should provide repomd.xml.asc files 
2. Fedora should ship its repo files with repo_gpgcheck=1 by default

Comment 1 Dennis Gilmore 2015-03-25 20:40:48 UTC

we have worked around signing repodata by using metalinks in mirrormanager. you request the metalink via a https url that can be verified, it contains the sha sums of the repomd.xml file which then lets you validate that everything is okay and secure and prevents you from any mitm attacks.

Comment 2 Petr Spacek 2015-09-10 14:10:56 UTC

Apparently the
https://mirrors.fedoraproject.org/metalink?repo=fedora-22&arch=x86_64
actually contains some hashes of the metadata but mirrorlink is more like poor man's solution (and actually not a 'solution').

In my eyes the problem is that all the security depends on the fact that Yum
uses TLS to download the mirror list. I.e. it effectively protects only users who did not change the yum configuration to use local mirror directly instead of mirrorlist. This happens a lot in internal networks where you have site-wide mirrors of repos etc.

Can we reconsider this and sign the metadata so all users who just mirror official repos are protected against simple attacks where attacker simply lets older packages in repo?

Thank you.

Comment 3 Till Maas 2015-10-21 19:43:58 UTC

This is tracked in the rel-eng track:
https://fedorahosted.org/rel-eng/ticket/1501

Note You need to log in before you can comment on or make changes to this bug.