Bug 422221 - RFE: yum should check that packages are signed with a specific repo's key
RFE: yum should check that packages are signed with a specific repo's key
Product: Fedora
Classification: Fedora
Component: dnf (Show other bugs)
All Linux
low Severity low
: ---
: ---
Assigned To: packaging-team-maint
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
  Show dependency treegraph
Reported: 2007-12-12 13:08 EST by Andre Robatino
Modified: 2014-04-29 14:47 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2014-04-29 01:54:45 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Andre Robatino 2007-12-12 13:08:45 EST
Description of problem:
  Yum currently only checks that a package is signed with one of the imported
keys, even though each repo typically is associated with a specific key. 
Checking for the repo-specific key would prevent problems such as having the
test or devel Fedora keys imported, and having one of those packages
accidentally make its way into updates-released, where it gets validated and
installed, even though it's not ready.  It might not be malicious, but could
cause problems due to simple bugginess.  This bug report was motivated by the
recent mistake of the yum RPM signed by the Fedora test key being in
updates-released.  I had the Fedora test key imported and didn't notice the
problem.  It would be nice to be able to import all of Fedora's keys but know
that mistakes such as this would still be flagged.  As it is, I removed the test
key to make sure I notice this type of mistake in the future, and will have to
reinstall it if I ever need to temporarily install a fedora-test package again.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.  Use yum to attempt to install/update a package signed with an imported key
not associated with the repo it's coming from. 
Actual results:
Package gets installed/updated without any indication of the problem.

Expected results:
Mismatched keys should stop the installation/update or at least trigger a warning.
Comment 1 Seth Vidal 2007-12-12 13:20:54 EST
proposed patch:
diff --git a/plugins/priorities/priorities.py b/plugins/priorities/priorities.py
index fd33591..2d6ca5a 100644
--- a/plugins/priorities/priorities.py
+++ b/plugins/priorities/priorities.py
@@ -82,10 +82,11 @@ def config_hook(conduit):
 def exclude_hook(conduit):
     global only_samearch
+    only_samearch = False
     # Check whether the user specified the --samearch option.
     opts, commands = conduit.getCmdLine()
-    if opts.samearch:
+    if opts and opts.samearch:
         only_samearch = True
     cnt = 0

Comment 2 Seth Vidal 2007-12-12 13:21:39 EST
sorry that last comment was pasted into the wrong bug report.
ignore, please.
Comment 3 Seth Vidal 2008-03-12 12:04:43 EDT
this is something we will want to do for the future - but not quite ready for, yet.
Comment 4 seth vidal 2008-11-07 15:09:41 EST
as an explanation. when the rpm bindings change to get rid of the rpmdb-based gpg keys we'll make sure this happens.
Comment 5 Bug Zapper 2008-11-26 03:58:23 EST
This message is a reminder that Fedora 8 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 8.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '8'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 8's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 8 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
Comment 6 James Antill 2014-04-28 14:42:19 EDT
 Comment#4 is still true, although CA keys added a bunch of infra. to yum. Unlikely the rpm side will change before dnf is the new thing so moving.
Comment 7 Ales Kozumplik 2014-04-29 01:54:45 EDT
The fact that this hasn't escalated enough since 2007 makes me think that the functionality would only increase complexity without adding something that users in general would appreciate. Also the RPM part is not even planned afaik (bugzilla?). Closing as wontfix, will consider reopening if there's more pressure from different directions for this.
Comment 8 Panu Matilainen 2014-04-29 02:52:43 EDT
Just to correct a misunderstanding or two: rpm has supported (and used for signature checking) an in-memory keyring since version 4.6.0, released in 2009. The default keyring is populated from gpg-keys in the rpmdb but you can use your own, custom-populated with whatever keys.

So it should be possible to implement this by creating per-repo keyrings and switching between the ring when checking signatures. Possible but a bit cumbersome as a transaction set is needed (kinda pointlessly) for the signature checking still. Exporting the interface to finally remove that stupid limitation might actually happen in rpm 4.12, but I've been in no hurry with that as yum has insisted with rpm 4.4.x compatibility, which makes using features from newer versions harder than it would otherwise be so  I haven't bothered to even try in this case.

Perhaps I should look at doing it with dnf now (regardless of this bug really), there are other benefits like eliminating blocked signals (from open rpmdb) in explicitly utilizing the in-memory keyring.

Note You need to log in before you can comment on or make changes to this bug.