1343690 – [RFE] gpgcheck performed by yum does not actually validate rpm contents against GPG signature

Bug 1343690 - [RFE] gpgcheck performed by yum does not actually validate rpm contents against GPG signature

Summary: [RFE] gpgcheck performed by yum does not actually validate rpm contents again...

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	Red Hat Enterprise Linux 7
Classification:	Red Hat
Component:	yum
Sub Component:
Version:	7.4
Hardware:	All
OS:	Linux
Priority:	unspecified
Severity:	urgent
Target Milestone:	rc
Target Release:	---
Assignee:	Michal Domonkos
QA Contact:	Jan Blazek
Docs Contact:	Marie Hornickova
URL:
Whiteboard:
Depends On:	1343692
Blocks:	1380360 1393866
TreeView+	depends on / blocked

Reported:	2016-06-07 16:59 UTC by Valentina Mukhamedzhanova
Modified:	2017-10-25 16:58 UTC (History)
CC List:	12 users (show)
Fixed In Version:	yum-3.4.3-154.el7
Doc Type:	Enhancement
Doc Text:	New `payload_gpgcheck` option added to yum With this update, the new configuration option `payload_gpgcheck` has been added to the yum utility. This option enables a GNU Privacy Guard (GPG) signature check on the payload sections of packages, thus enhancing the security and integrity when installing packages. Previously, when `gpgcheck` option was enabled, yum only performed a GPG signature check on headers. Consequently, if the payload data were tampered with or corrupted, RPM unpacking error occurred, and the package was left in a partly installed state. This might have put the operating system into an inconsistent and vulnerable state. You can use the new `payload_gpgcheck` option in conjunction with the `gpgcheck` or `localpkg_gpgcheck` options to prevent this problem. As a result, when `payload_gpgcheck` is enabled, yum performs a GPG signature check on the payload and aborts the transaction if it is not verified. Using `payload_gpgcheck` is equivalent to manually running "rpm -K" on downloaded packages.
Clone Of:	1287883
Clones:	1343692 1578345 (view as bug list)
Environment:
Last Closed:	2017-08-01 09:07:52 UTC
Target Upstream Version:

Attachments	(Terms of Use)
pkgsplit.tar.gz (805 bytes, application/x-gzip) 2017-03-23 13:16 UTC, Michal Domonkos	no flags	Details
Add an attachment (proposed patch, testcase, etc.)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHBA-2017:2295	0	normal	SHIPPED_LIVE	yum bug fix and enhancement update	2017-08-01 12:40:03 UTC

Comment 6 Michal Domonkos 2017-03-23 13:16:28 UTC

Created attachment 1265740 [details]
pkgsplit.tar.gz

Scripts to alter the payload of a signed package so that it no longer verifies (for testing purposes).

Comment 18 errata-xmlrpc 2017-08-01 09:07:52 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2017:2295

Note You need to log in before you can comment on or make changes to this bug.