Nethserver repos do not provide signed repomd.xml files (repomd.xml.asc). and leaves users vulnerable to man in the middle attacks.
it would be nice if
It seems even upstream doesn’t fully support it:
https://bugzilla.redhat.com/show_bug.cgi?id=1360939
I also found this (old) post which explains potential problems:
Also I can’t understand how a MITM is possible: even if repomd.xml is compromised, all RPMs are GPG signed and the verification is enabled by default.
Yes, you could get a tempered metadata file, but RPMs will be the good ones.
following article explain the man-in-the-middle scenarios for package manager.
https://lwn.net/Articles/327847/
usually people use yum-fast-mirror plugin which automatically select fastest mirror (which could be compromised one)
Both RHEL-7/CentOS-7 contain repomd.xml.asc, you can check RHEL repo or any CentOS mirror.
However the EPEL repository doesn’t repomd.xml.asc. But for EPEL one can use
the official mirror https://dl.fedoraproject.org/pub/epel/7/x86_64/
Thank you for the clarification, it worth reading!
We could add the repomd.xml.asc file, but I’d rather don’t like enabling repo_gpgcheck option to avoid unexpected behavior.
What do you think @davidep and @filippo_carletti?
I would start adding the repomd.xml.asc file and then ask some expert users to enable checks (repo_gpgcheck=1).
If no problems arise, we can release an update.
B U M P
Would be nice to have this starting from NethServer 7.6
More info
It’d be nice to update the wiki as well with (current) instructions on how to do this for third-party repo maintainers. I see the four-year-old blog post, but in two major releases of RHEL/CentOS, I’d suspect things may have changed a bit.
The NethServer repositories now have the repomd.xml.asc file.
I need a solution to enable the signature check for 7.6 automatically. If that is not possible, we’ll document how to do it manually in 7.6 Release Notes.
Trying to figure this out by myself has let me to the blog post already cited above, as well as this (even older, I think) page:
http://www.peterscheie.com/unix/automating_signing_with_GPG.html
gpg2 has changed some of the details, but I’ve got an unprotected DSA (signing-only) key created, loaded onto my repo server, and scripted to sign repomd.xml every time it’s updated. Updating the wiki is easy enough to do myself, of course.
But before I’d do that I’m wondering if this is the best way to go. The DSA key can only be used for signing, not decryption. And of course it’s readable only by root. But it’s still sitting on an Internet-facing server with no passphrase protection. I don’t really like this, but I’m having trouble seeing another way to automate signing the repomd.xml file. Thoughts?
I’d think that updating the NethServer.repo file in the relevant RPM would do this, but it seems that the new file has gone in as .rpmnew, so the repo check (or, for that matter, the package check) aren’t yet active.