Red Hat Bugzilla – Bug 422221
RFE: yum should check that packages are signed with a specific repo's key
Last modified: 2014-04-29 14:47:40 EDT
Description of problem:
Yum currently only checks that a package is signed with one of the imported
keys, even though each repo typically is associated with a specific key.
Checking for the repo-specific key would prevent problems such as having the
test or devel Fedora keys imported, and having one of those packages
accidentally make its way into updates-released, where it gets validated and
installed, even though it's not ready. It might not be malicious, but could
cause problems due to simple bugginess. This bug report was motivated by the
recent mistake of the yum RPM signed by the Fedora test key being in
updates-released. I had the Fedora test key imported and didn't notice the
problem. It would be nice to be able to import all of Fedora's keys but know
that mistakes such as this would still be flagged. As it is, I removed the test
key to make sure I notice this type of mistake in the future, and will have to
reinstall it if I ever need to temporarily install a fedora-test package again.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use yum to attempt to install/update a package signed with an imported key
not associated with the repo it's coming from.
Package gets installed/updated without any indication of the problem.
Mismatched keys should stop the installation/update or at least trigger a warning.
diff --git a/plugins/priorities/priorities.py b/plugins/priorities/priorities.py
index fd33591..2d6ca5a 100644
@@ -82,10 +82,11 @@ def config_hook(conduit):
+ only_samearch = False
# Check whether the user specified the --samearch option.
opts, commands = conduit.getCmdLine()
- if opts.samearch:
+ if opts and opts.samearch:
only_samearch = True
cnt = 0
sorry that last comment was pasted into the wrong bug report.
this is something we will want to do for the future - but not quite ready for, yet.
as an explanation. when the rpm bindings change to get rid of the rpmdb-based gpg keys we'll make sure this happens.
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8. It is Fedora's policy to close all
bug reports from releases that are no longer maintained. At that time
this bug will be closed as WONTFIX if it remains open with a Fedora
'version' of '8'.
Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version'
to a later Fedora version prior to Fedora 8's end of life.
Bug Reporter: Thank you for reporting this issue and we are sorry that
we may not be able to fix it before Fedora 8 is end of life. If you
would still like to see this bug fixed and are able to reproduce it
against a later version of Fedora please change the 'version' of this
bug to the applicable version. If you are unable to change the version,
please add a comment here and someone will do it for you.
Although we aim to fix as many bugs as possible during every release's
lifetime, sometimes those efforts are overtaken by events. Often a
more recent Fedora release includes newer upstream software that fixes
bugs or makes them obsolete.
The process we are following is described here:
Comment#4 is still true, although CA keys added a bunch of infra. to yum. Unlikely the rpm side will change before dnf is the new thing so moving.
The fact that this hasn't escalated enough since 2007 makes me think that the functionality would only increase complexity without adding something that users in general would appreciate. Also the RPM part is not even planned afaik (bugzilla?). Closing as wontfix, will consider reopening if there's more pressure from different directions for this.
Just to correct a misunderstanding or two: rpm has supported (and used for signature checking) an in-memory keyring since version 4.6.0, released in 2009. The default keyring is populated from gpg-keys in the rpmdb but you can use your own, custom-populated with whatever keys.
So it should be possible to implement this by creating per-repo keyrings and switching between the ring when checking signatures. Possible but a bit cumbersome as a transaction set is needed (kinda pointlessly) for the signature checking still. Exporting the interface to finally remove that stupid limitation might actually happen in rpm 4.12, but I've been in no hurry with that as yum has insisted with rpm 4.4.x compatibility, which makes using features from newer versions harder than it would otherwise be so I haven't bothered to even try in this case.
Perhaps I should look at doing it with dnf now (regardless of this bug really), there are other benefits like eliminating blocked signals (from open rpmdb) in explicitly utilizing the in-memory keyring.