A PGP signature bypass was found in fwupd, which could lead to possible installation of unsigned firmware.
As per upstream:
* For Red Hat Enterprise Linux 7: LVFS (LVFS (Linux Vendor Firmware Service) is: a secure portal which allows hardware vendors to upload firmware updates. The site is used by all major Linux distributions to provide metadata for clients such as fwupdmgr and GNOME Software.) was never enabled there although the PGP bypass is possible but not implementable.
* For Red Hat Enterprise Linux 8: The LVFS is disabled and never used the Amazon CDN. PGP bypass possible, but not implementable.
More information available at:
Name: Justin Steven
Created fwupd tracking bugs for this issue:
Affects: fedora-all [bug 1844317]