Description of problem: Yum currently only checks that a package is signed with one of the imported keys, even though each repo typically is associated with a specific key. Checking for the repo-specific key would prevent problems such as having the test or devel Fedora keys imported, and having one of those packages accidentally make its way into updates-released, where it gets validated and installed, even though it's not ready. It might not be malicious, but could cause problems due to simple bugginess. This bug report was motivated by the recent mistake of the yum RPM signed by the Fedora test key being in updates-released. I had the Fedora test key imported and didn't notice the problem. It would be nice to be able to import all of Fedora's keys but know that mistakes such as this would still be flagged. As it is, I removed the test key to make sure I notice this type of mistake in the future, and will have to reinstall it if I ever need to temporarily install a fedora-test package again. Version-Release number of selected component (if applicable): yum-3.2.8-2.fc8 How reproducible: always Steps to Reproduce: 1. Use yum to attempt to install/update a package signed with an imported key not associated with the repo it's coming from. Actual results: Package gets installed/updated without any indication of the problem. Expected results: Mismatched keys should stop the installation/update or at least trigger a warning.
proposed patch: diff --git a/plugins/priorities/priorities.py b/plugins/priorities/priorities.py index fd33591..2d6ca5a 100644 --- a/plugins/priorities/priorities.py +++ b/plugins/priorities/priorities.py @@ -82,10 +82,11 @@ def config_hook(conduit): def exclude_hook(conduit): global only_samearch + only_samearch = False # Check whether the user specified the --samearch option. opts, commands = conduit.getCmdLine() - if opts.samearch: + if opts and opts.samearch: only_samearch = True cnt = 0
argh sorry that last comment was pasted into the wrong bug report. ignore, please.
this is something we will want to do for the future - but not quite ready for, yet.
as an explanation. when the rpm bindings change to get rid of the rpmdb-based gpg keys we'll make sure this happens.
This message is a reminder that Fedora 8 is nearing its end of life. Approximately 30 (thirty) days from now Fedora will stop maintaining and issuing updates for Fedora 8. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '8'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 8's end of life. Bug Reporter: Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 8 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora please change the 'version' of this bug to the applicable version. If you are unable to change the version, please add a comment here and someone will do it for you. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete. The process we are following is described here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment#4 is still true, although CA keys added a bunch of infra. to yum. Unlikely the rpm side will change before dnf is the new thing so moving.
The fact that this hasn't escalated enough since 2007 makes me think that the functionality would only increase complexity without adding something that users in general would appreciate. Also the RPM part is not even planned afaik (bugzilla?). Closing as wontfix, will consider reopening if there's more pressure from different directions for this.
Just to correct a misunderstanding or two: rpm has supported (and used for signature checking) an in-memory keyring since version 4.6.0, released in 2009. The default keyring is populated from gpg-keys in the rpmdb but you can use your own, custom-populated with whatever keys. So it should be possible to implement this by creating per-repo keyrings and switching between the ring when checking signatures. Possible but a bit cumbersome as a transaction set is needed (kinda pointlessly) for the signature checking still. Exporting the interface to finally remove that stupid limitation might actually happen in rpm 4.12, but I've been in no hurry with that as yum has insisted with rpm 4.4.x compatibility, which makes using features from newer versions harder than it would otherwise be so I haven't bothered to even try in this case. Perhaps I should look at doing it with dnf now (regardless of this bug really), there are other benefits like eliminating blocked signals (from open rpmdb) in explicitly utilizing the in-memory keyring.