Feature request: provide signed repomd.xml files (repomd.xml.asc)

umair (umair) 2017-09-06 22:28:37 UTC #1

Nethserver repos do not provide signed repomd.xml files (repomd.xml.asc). and leaves users vulnerable to man in the middle attacks.

it would be nice if

Nethserver repos should provide repomd.xml.asc files
Nethserver should ship its repo files with repo_gpgcheck=1 by default

giacomo (Giacomo Sanchietti) 2017-09-07 07:18:57 UTC #2

It seems even upstream doesn’t fully support it:
https://bugzilla.redhat.com/show_bug.cgi?id=1360939

I also found this (old) post which explains potential problems:

Also I can’t understand how a MITM is possible: even if repomd.xml is compromised, all RPMs are GPG signed and the verification is enabled by default.
Yes, you could get a tempered metadata file, but RPMs will be the good ones.

umair (umair) 2017-09-07 17:29:45 UTC #3

following article explain the man-in-the-middle scenarios for package manager.

https://lwn.net/Articles/327847/

usually people use yum-fast-mirror plugin which automatically select fastest mirror (which could be compromised one)

Both RHEL-7/CentOS-7 contain repomd.xml.asc, you can check RHEL repo or any CentOS mirror.

However the EPEL repository doesn’t repomd.xml.asc. But for EPEL one can use
the official mirror https://dl.fedoraproject.org/pub/epel/7/x86_64/

giacomo (Giacomo Sanchietti) 2017-09-08 07:38:10 UTC #4

Thank you for the clarification, it worth reading!

We could add the repomd.xml.asc file, but I’d rather don’t like enabling repo_gpgcheck option to avoid unexpected behavior.

What do you think @davidep and @filippo_carletti?

filippo_carletti (Filippo Carletti) 2017-09-13 16:51:35 UTC #5

I would start adding the repomd.xml.asc file and then ask some expert users to enable checks (repo_gpgcheck=1).
If no problems arise, we can release an update.