Red Hat Bugzilla – Bug 155425
fedora keys should not be downloaded
Last modified: 2014-01-21 17:51:41 EST
Description of problem:
the key to verify packages of fedora and fedora-extras should be part of the
installation iso-image to prevent spoofing
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.fedora core just installed
2.yum install xloxkmore
3. ... yum downloads asks to import the key ....
rpm --import /usr/share/doc/fedora-release-*/RPM-GPG-KEY*
But they should be automatically imported at install time (or during first boot?)
We should change fedora-release to specify the path to the key... which probably
is going to mean moving them out of just being in
/usr/share/doc/fedora-release-version to somewhere more predictable (without the
What specific actions in which packages are needed to resolve this bug? If
someone doesn't use up2date, is there anything that does an auto-import of the keys?
yum auto-imports the keys, yes.
if a repo has gpgkey=url://to/key (file:// urls allowed) then if/when a package
from that repo is downloaded and a gpg key verification is needed then the key
will be downloaded/imported.
/usr/share/doc is also bad of a location because they can be excluded from
installation with rpm --excludedocs.
So this is really two fixes:
* yum repo definitions shipped in FC should have gpgkey=url:// point at a local
file rather than remote file.
* /etc/somewhere is a logical place to put these keys.
up2date ships its own copy of the Fedora keys in /usr/share/rhn/ Nothing should
rely on anything in /usr/share/doc.
Elliot do you want to go ahead with the suggestions in Comment #4 and #5? That
is 1) Move the keys in fedora-release into a non-versioned and non-doc
2) point yum to those local files rather than a network URL for downloading keys.
already fixed in CVS.
*** Bug 157144 has been marked as a duplicate of this bug. ***
Unless I am totally misunderstanding this situation, this needs fixing in both
fedora-release and yum. fedora-release needs the key files to exist somewhere
outside of %doc dirs, while yum needs gpgkeys= to local file URLs to find them.
Warren, I guess you are mistaken. yum repository data is actually in the
fedora-release package, as far as I know.
OK, yum doesn't need changing, but fedora-release does.
FC4-0520.0 candidate tree contains fedora-release-3.92-1.
/etc/yum.repos.d/ still contains
The .repo files in CVS do use file:// URLs, but they still install keys using
%doc which is wrong. rpm --excludedocs would break this, which is supposed to
be a supported way of using the operating system.
The RPM GPG keys should be installed anywhere but %doc. up2date installs
another copy into /usr/share/rhn. Where should we put the fedora-release copy?
Under /usr/share/doc is fine. Stop reopening this bug already.
Would it be wrong if I moved it out of /usr/share/doc? Please don't depend on
anything in /usr/share/doc...
After subsequent discussion it was decided to move RPM-GPG-KEY* into an
unchanging named directory. /etc/pki/rpm-gpg seems appropriate. This is now
checked into CVS for fedora-release-4-1.