Results 1 to 10 of 10

Thread: YaST2 / rpm signature verification

  1. #1

    Default YaST2 / rpm signature verification

    Hi there,
    as we all know, when adding a YaST repo a GPG key is being added.
    I´d like to know, what does YaST2 do, if verifying a rpm signature fails? Does it still install the rpm or does it refuse to install the rpm?

  2. #2
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,278
    Blog Entries
    2

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by pinguin74 View Post
    Hi there,
    as we all know, when adding a YaST repo a GPG key is being added.
    I´d like to know, what does YaST2 do, if verifying a rpm signature fails? Does it still install the rpm or does it refuse to install the rpm?
    As you describe,
    A GPG check is done adding a repo,
    Ordinarily a GPG check is not done per package.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  3. #3

    Default Re: YaST2 / rpm signature verification

    WTF!?
    What is a repo key any good for if it´s not used!?
    This seriously hurts my assumptions regarding Linux security, I thought (hoped...) rpm signatures provide a strong protection against malicious code infiltration. AFAIK even MS checks its updates signatures....
    Does YaST provide any means to change that to mandatory checking rpm signatures?

  4. #4

    Default Re: YaST2 / rpm signature verification

    note to self: learn zypper

    OK, this is a zypper issue, right? IIRC, YaST2 now uses libzyp as backend?
    I looked at /etc/zypp/zypp.conf and have added the following:

    gpgcheck=1
    repo_gpgcheck=1
    pkg_gpgcheck=1

    If YaST2 now uses libzyp, I think these options should be recognized, right?
    I read, gpgcheck=1 is the default, though I don´t know, what exactly this options does, does it only check the integrity of a repo? But not all files contained in a rpm package?

  5. #5
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by pinguin74 View Post
    If YaST2 now uses libzyp, I think these options should be recognized, right?
    I read, gpgcheck=1 is the default, though I don´t know, what exactly this options does, does it only check the integrity of a repo? But not all files contained in a rpm package?
    pkg_gpgcheck=1

    is a per repo setting so you'll have to add it .repo files in /etc/zypp/repos.d/*.repo
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  6. #6

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by Miuku View Post
    pkg_gpgcheck=1 is a per repo setting (...)
    Thanks for this hint.
    I guess(hope), the *.repo files will not be touched, if metadata like repomd.xml need updated....

  7. #7
    Join Date
    Jun 2008
    Location
    San Diego, Ca, USA
    Posts
    11,278
    Blog Entries
    2

    Default Re: YaST2 / rpm signature verification

    IMO
    Whenever you decide to connect to, and possibly download a file from anywhere (not just a repo), you're dealing with a "chain of trust."
    That means that you don't have to authenticate every individual intermediate step along the way, when you authenticate to a proper authenticator that itself is configured to grant permissions or provide authenticity to other objects (eg services, systems, components, etc) then you're considered safe.

    In fact, this also often seen in Enterprise architectures and is often referred to as "Single Sign-on" ie the idea that you only have to logon once (typically when you log on to a machine which is a member of the network) and then is immediately granted permission to a variety of things in that network... like Network Shares on different machines, access to the Internet through a firewall that requires authentication, mail services, etc.

    In the same way,
    Once you Trust a particular repo, the implication is that any individual packages that come from that repo is a trusted package, so you don't have to re-check the authenticity and trustworthiness of each individual package.

    Note that authenticity is not the same as integrity, so for instance it's still useful to do a hash comparison of the downloaded file to detect the possibility of file corruption, file substitution by something like a MIM attack, etc.

    TSU
    Beginner Wiki Quickstart - https://en.opensuse.org/User:Tsu2/Quickstart_Wiki
    Solved a problem recently? Create a wiki page for future personal reference!
    Learn something new?
    Attended a computing event?
    Post and Share!

  8. #8
    Join Date
    May 2012
    Location
    Finland
    Posts
    2,004

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by pinguin74 View Post
    Thanks for this hint.
    I guess(hope), the *.repo files will not be touched, if metadata like repomd.xml need updated....
    The .repo files will remain untouched unless you modify them by hand or remove / re-add them with zypper.

    Something like;
    Code:
    sed -i -e '/pkg_gpgcheck=/{s/.*/pkg_gpgcheck=1/;:a;n;:ba;q}' -e 'apkg_gpgcheck=1' /etc/zypp/repos.d/*.repo
    Will check if all files in /etc/zypp/repos.d/ have pkg_gpgcheck enabled (if a file already has it enabled, it does nothing) but will add it to the end if it doesn't.

    You could probably do the same with awk but I like sed
    .: miuku #suse @ irc.freenode.net
    :: miuku@opensuse.org

    .: h​ttps://download.opensuse.org/repositories/home:/Miuku/

  9. #9
    Join Date
    Nov 2013
    Location
    Kamloops, BC, Canada
    Posts
    3,974

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by Miuku View Post
    You could probably do the same with awk but I like sed
    Awk! -sed the newcomer.
    -Gerry Makaro
    Fraser-Bell Info Tech
    Solving Tech Mysteries since the Olden Days!
    ~~
    If I helped you, consider clicking the Star at the bottom left of my post.

  10. #10
    Join Date
    Aug 2010
    Location
    Chicago suburbs
    Posts
    12,617
    Blog Entries
    3

    Default Re: YaST2 / rpm signature verification

    Quote Originally Posted by pinguin74 View Post
    Hi there,
    as we all know, when adding a YaST repo a GPG key is being added.
    I´d like to know, what does YaST2 do, if verifying a rpm signature fails? Does it still install the rpm or does it refuse to install the rpm?
    Here's my understanding, which could be wrong.

    First metadata about the repo is downloaded. A gpg signature is checked on that. If that fails, you get some sort of warning.

    The metadata contains checksums for each rpm. When an rpm is downloaded, that checksum is verified. If that fails, you are warned and the default is to reject that rpm. I don't think the gpg signature on the rpm is checked in this case.

    For a repo without signed metadata, the gpg signature on each package is checked, and you are warned of a mismatch, with the default being to reject that package.

    In any case, there seem to be adequate checks. And I have occasionally run into warnings, usually because of a bad mirror. When I see a warning, I abort the update and try again a few hours later. And that usually works.
    openSUSE Leap 15.1; KDE Plasma 5;
    testing Leap 15.2Alpha

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •