Bug 1353036 - rpms in virtio-win repository are not signed
Summary: rpms in virtio-win repository are not signed
Keywords:
Status: CLOSED DEFERRED
Alias: None
Product: Virtualization Tools
Classification: Community
Component: virtio-win
Version: unspecified
Hardware: All
OS: All
unspecified
urgent
Target Milestone: ---
Assignee: Cole Robinson
QA Contact: Virtualization Bugs
URL:
Whiteboard:
: 1381004 (view as bug list)
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-07-05 20:56 UTC by Christian Stadelmann
Modified: 2020-01-19 23:29 UTC (History)
8 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2020-01-19 23:29:47 UTC
Embargoed:

Attachments (Terms of Use)

Description Christian Stadelmann 2016-07-05 20:56:36 UTC 
Description of problem:
When downloading the .repo file from https://fedoraproject.org/wiki/Windows_Virtio_Drivers you'll see that it has gpgcheck=0 set. When setting to 1, installing any package from this repo will fail due to missing signatures.
Comment 1 Cole Robinson 2016-07-06 14:13:55 UTC 
This is something on the yum/dnf repo + packaging side, so assigning to myself. No idea if/when I'll get to it though
Comment 2 Christian Stadelmann 2017-05-17 14:50:59 UTC 
This bug has a security impact as it allows simple man-in-the-middle-attacks. Can you please fix it?
Comment 3 Cole Robinson 2019-03-28 23:57:55 UTC 
*** Bug 1381004 has been marked as a duplicate of this bug. ***
Comment 4 Cole Robinson 2020-01-19 23:29:47 UTC 
I moved this to the github tracker: https://github.com/crobinso/virtio-win-pkg-scripts/issues/24

We are working on moving ownership of the RPM builds from me to the virtio-win devs directly, but I think in the medium term I will still maintain the fedorapeople repo. When we sort out the transition I will look into implementing this
Note You need to log in before you can comment on or make changes to this bug.