Bug 1343690 - [RFE] gpgcheck performed by yum does not actually validate rpm contents against GPG signature
Summary: [RFE] gpgcheck performed by yum does not actually validate rpm contents again...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: yum
Version: 7.4
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Michal Domonkos
QA Contact: Jan Blazek
Marie Hornickova
Depends On: 1343692
Blocks: 1380360 1393866
TreeView+ depends on / blocked
Reported: 2016-06-07 16:59 UTC by Valentina Mukhamedzhanova
Modified: 2017-10-25 16:58 UTC (History)
12 users (show)

Fixed In Version: yum-3.4.3-154.el7
Doc Type: Enhancement
Doc Text:
New `payload_gpgcheck` option added to *yum* With this update, the new configuration option `payload_gpgcheck` has been added to the *yum* utility. This option enables a GNU Privacy Guard (GPG) signature check on the payload sections of packages, thus enhancing the security and integrity when installing packages. Previously, when `gpgcheck` option was enabled, *yum* only performed a GPG signature check on headers. Consequently, if the payload data were tampered with or corrupted, RPM unpacking error occurred, and the package was left in a partly installed state. This might have put the operating system into an inconsistent and vulnerable state. You can use the new `payload_gpgcheck` option in conjunction with the `gpgcheck` or `localpkg_gpgcheck` options to prevent this problem. As a result, when `payload_gpgcheck` is enabled, *yum* performs a GPG signature check on the payload and aborts the transaction if it is not verified. Using `payload_gpgcheck` is equivalent to manually running "rpm -K" on downloaded packages.
Clone Of: 1287883
: 1343692 1578345 (view as bug list)
Last Closed: 2017-08-01 09:07:52 UTC
Target Upstream Version:

Attachments (Terms of Use)
pkgsplit.tar.gz (805 bytes, application/x-gzip)
2017-03-23 13:16 UTC, Michal Domonkos
no flags Details

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2017:2295 0 normal SHIPPED_LIVE yum bug fix and enhancement update 2017-08-01 12:40:03 UTC

Comment 6 Michal Domonkos 2017-03-23 13:16:28 UTC
Created attachment 1265740 [details]

Scripts to alter the payload of a signed package so that it no longer verifies (for testing purposes).

Comment 18 errata-xmlrpc 2017-08-01 09:07:52 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.