Bug 1297087 - [RFE] Implementation of localpkg_gpgcheck option for checking gpg signature for local packages or packages specified by URL
[RFE] Implementation of localpkg_gpgcheck option for checking gpg signature f...
Status: CLOSED RAWHIDE
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
25
Unspecified Linux
low Severity low
: ---
: ---
Assigned To: Jaroslav Mracek
Fedora Extras Quality Assurance
: Reopened, Security, Triaged
Depends On:
Blocks: 1362452
  Show dependency treegraph
 
Reported: 2016-01-08 19:20 EST by Graham Cole
Modified: 2016-10-04 14:06 EDT (History)
9 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
: 1362452 (view as bug list)
Environment:
Last Closed: 2016-10-04 14:06:31 EDT
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Graham Cole 2016-01-08 19:20:36 EST
Description of problem:
dnf is not checking gpg signature for local packages or packages specified by URL

Version-Release number of selected component (if applicable):
1.1.5-1.fc23

How reproducible:
Every Time

Steps to Reproduce:
1. dnf install http://rpm.livna.org/livna-release.rpm
#this should fail as I did not install the livna gpg key

2. dnf install --downloadonly patch
#dnf downloads patch-2.7.5-2.fc23.x86_64.rpm
3. echo hello >> /var/cache/dnf/fedora-fe3d2f0c91e9b65c/packages/patch-2.7.5-2.fc23.x86_64.rpm
#this will corrupt the package making the signature bad
4. rpm -K /var/cache/dnf/fedora-fe3d2f0c91e9b65c/packages/patch-2.7.5-2.fc23.x86_64.rpm 
#/var/cache/dnf/fedora-fe3d2f0c91e9b65c/packages/patch-2.7.5-2.fc23.x86_64.rpm: #rsa sha1 (MD5) PGP MD5 NOT OK
5. dnf install /var/cache/dnf/fedora-fe3d2f0c91e9b65c/packages/patch-2.7.5-2.fc23.x86_64.rpm 
#dnf installs the package without realizing the package has been corrupted.

Actual results:
dnf installed both the livna package and the corrupted patch package without complaint

Expected results:
dnf should find the GPG signatures to be invalid and refuse to install the package without a --nogpgcheck flag

Additional info:
Fedora documentation states that local packages should also be checked when gpgcheck=1 in dnf.conf:

https://docs.fedoraproject.org/en-US/Fedora/23/html/System_Administrators_Guide/sec-Configuring_DNF_and_DNF_Repositories.html
Comment 1 Honza Silhan 2016-01-11 08:28:54 EST
We'll take a look.
Comment 2 Fedora Admin XMLRPC Client 2016-07-08 05:37:22 EDT
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 3 Christian Stadelmann 2016-07-24 06:03:49 EDT
How can a security bug, which also is a regression to yum AFAIK, have low severity and low priority?
Comment 4 Jan Kurik 2016-07-26 01:02:46 EDT
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle.
Changing version to '25'.
Comment 5 Jaroslav Mracek 2016-08-01 06:49:20 EDT
According to my investigation, the behavior of DNF with gpgcheck of local messages is identical to YUM. Please let me know if I overlooked something.
Comment 6 Jaroslav Mracek 2016-08-01 08:38:14 EDT
Thank you very much for report of documentation difference from preset dnf behavior. We will change it according to current behavior.

We know that security is important part of package distribution, but there is supported way - repository with only signed rpms. Repositories also solve a problem of gpg-keys distribution and checksum of metadata. To create repository, createrepo_c package can be used and repositories can be remote as well local. 

With gpgcheck for local packages or remote packages outside of repository many users can have difficulties with new behavior of DNF, therefore I think due to existing solution that this bug report I can close a notbug. If you will experience any further problem, please report it.
Comment 7 Jaroslav Mracek 2016-08-01 11:02:34 EDT
The yum has an option 'localpkg_gpgcheck' that provides requested behavior. It change the situation.
Comment 8 Jaroslav Mracek 2016-08-02 03:42:09 EDT
The option 'localpkg_gpgcheck' was already implemented in DNF, but it is not in documentation. It is going to be change by new pull-request.

https://github.com/rpm-software-management/dnf/pull/554

If you want to use gpgcheck for local packages, you have to add "localpkg_gpgcheck=1" into /etc/dnf/dnf.conf file. Have a fun with it.

Note You need to log in before you can comment on or make changes to this bug.