Bug 1373331 - RFE: Sign repository metadata generated for coprs along with packages
Summary: RFE: Sign repository metadata generated for coprs along with packages
Keywords:
Status: CLOSED UPSTREAM
Alias: None
Product: Copr
Classification: Community
Component: backend
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Copr Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 03:04 UTC by Neal Gompa
Modified: 2023-04-03 18:38 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
Environment:
Last Closed: 2023-04-03 18:38:15 UTC
Embargoed:


Attachments (Terms of Use)

Description Neal Gompa 2016-09-06 03:04:15 UTC
Description of problem:
COPR currently signs packages, but not the repository metadata. Without signing the metadata, there's no obvious way to prevent DNF from reading untrusted repository metadata.

This involves adding to the signer to sign the generated repository metadata and having the frontend generate .repo files that include "repo_gpgcheck=1".

Version-Release number of selected component (if applicable):
copr-backend-1.92-1.fc24
copr-frontend-1.99-1.fc24

How reproducible:
Always

Steps to Reproduce:
1. Set a copr repo to "repo_gpgcheck=1" in /etc/yum.repos.d repo file
2. dnf --refresh install <package>

Actual results:
DNF complains that there's no repodata signature to verify.

Expected results:
DNF silently verifies that the repodata is properly signed.

Additional info:
As of https://github.com/fedora-copr/copr/commit/28e0109882afbfb52a7eedff0f38973f1cdf3432, repo_gpgcheck is currently always set to "0". If this feature request is implemented, it should be changed to get the value set the same way "gpgcheck" is.

Comment 2 Jakub Kadlčík 2023-04-03 18:38:15 UTC
The bugs related to Copr build system are now migrated to the
default Copr team tracker:
https://github.com/fedora-copr/copr/issues/2644


Note You need to log in before you can comment on or make changes to this bug.