Description: A race condition in osbuild-composer can cause GPG verification to be disabled for package repositories. Triggering this behavior requires adding not only the third-party repo with RPMs you wish to gpg-check, but an additional repo with gpg-checking disabled. There is code in the affected versions of osbuild-composer that causes third-party repos to unintentionally share the checkgpg setting, and in some cases the insecure setting wins. This issue was addressed and fixed internally (for an unrelated bug) https://github.com/osbuild/osbuild-composer/commit/b786178077a23bc6aca9f65ee58651bd4dfb1244 which was included in osbuild-composer 94. This issue might need to be backported to currently supported RHEL versions that do not have this commit. The associated Github Security Advisory is not yet public, so this bug is currently embargoed. Impact: This can lead to installing untrusted code into an image being built. Affected versions: previous versions < 94 I'll add the PoC/Steps to reproduce ASAP.
Created osbuild-composer tracking bugs for this issue: Affects: fedora-all [bug 2270310]