Bug 1373331 - [RFE] Sign repository metadata generated for coprs along with packages
Summary: [RFE] Sign repository metadata generated for coprs along with packages
Keywords:
Status: NEW
Alias: None
Product: Copr
Classification: Community
Component: backend
Version: unspecified
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Copr Team
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-09-06 03:04 UTC by Neal Gompa
Modified: 2020-03-19 02:59 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Neal Gompa 2016-09-06 03:04:15 UTC
Description of problem:
COPR currently signs packages, but not the repository metadata. Without signing the metadata, there's no obvious way to prevent DNF from reading untrusted repository metadata.

This involves adding to the signer to sign the generated repository metadata and having the frontend generate .repo files that include "repo_gpgcheck=1".

Version-Release number of selected component (if applicable):
copr-backend-1.92-1.fc24
copr-frontend-1.99-1.fc24

How reproducible:
Always

Steps to Reproduce:
1. Set a copr repo to "repo_gpgcheck=1" in /etc/yum.repos.d repo file
2. dnf --refresh install <package>

Actual results:
DNF complains that there's no repodata signature to verify.

Expected results:
DNF silently verifies that the repodata is properly signed.

Additional info:
As of https://github.com/fedora-copr/copr/commit/28e0109882afbfb52a7eedff0f38973f1cdf3432, repo_gpgcheck is currently always set to "0". If this feature request is implemented, it should be changed to get the value set the same way "gpgcheck" is.


Note You need to log in before you can comment on or make changes to this bug.