Hi there,
as we all know, when adding a YaST repo a GPG key is being added.
I´d like to know, what does YaST2 do, if verifying a rpm signature fails? Does it still install the rpm or does it refuse to install the rpm?
As you describe,
A GPG check is done adding a repo,
Ordinarily a GPG check is not done per package.
TSU
WTF!?
What is a repo key any good for if it´s not used!?
This seriously hurts my assumptions regarding Linux security, I thought (hoped…) rpm signatures provide a strong protection against malicious code infiltration. AFAIK even MS checks its updates signatures…
Does YaST provide any means to change that to mandatory checking rpm signatures?
note to self: learn zypper
OK, this is a zypper issue, right? IIRC, YaST2 now uses libzyp as backend?
I looked at **/etc/zypp/zypp.conf **and have added the following:
**
gpgcheck=1
repo_gpgcheck=1
pkg_gpgcheck=1
**If YaST2 now uses libzyp, I think these options should be recognized, right?
I read, gpgcheck=1 is the default, though I don´t know, what exactly this options does, does it only check the integrity of a repo? But not all files contained in a rpm package?
pkg_gpgcheck=1
is a per repo setting so you’ll have to add it .repo files in /etc/zypp/repos.d/*.repo
Thanks for this hint.
I guess(hope), the *.repo files will not be touched, if metadata like repomd.xml need updated…
IMO
Whenever you decide to connect to, and possibly download a file from anywhere (not just a repo), you’re dealing with a “chain of trust.”
That means that you don’t have to authenticate every individual intermediate step along the way, when you authenticate to a proper authenticator that itself is configured to grant permissions or provide authenticity to other objects (eg services, systems, components, etc) then you’re considered safe.
In fact, this also often seen in Enterprise architectures and is often referred to as “Single Sign-on” ie the idea that you only have to logon once (typically when you log on to a machine which is a member of the network) and then is immediately granted permission to a variety of things in that network… like Network Shares on different machines, access to the Internet through a firewall that requires authentication, mail services, etc.
In the same way,
Once you Trust a particular repo, the implication is that any individual packages that come from that repo is a trusted package, so you don’t have to re-check the authenticity and trustworthiness of each individual package.
Note that authenticity is not the same as integrity, so for instance it’s still useful to do a hash comparison of the downloaded file to detect the possibility of file corruption, file substitution by something like a MIM attack, etc.
TSU
The .repo files will remain untouched unless you modify them by hand or remove / re-add them with zypper.
Something like;
sed -i -e '/pkg_gpgcheck=/{s/.*/pkg_gpgcheck=1/;:a;n;:ba;q}' -e 'apkg_gpgcheck=1' /etc/zypp/repos.d/*.repo
Will check if all files in /etc/zypp/repos.d/ have pkg_gpgcheck enabled (if a file already has it enabled, it does nothing) but will add it to the end if it doesn’t.
You could probably do the same with awk but I like sed 
Awk! -sed the newcomer.
Here’s my understanding, which could be wrong.
First metadata about the repo is downloaded. A gpg signature is checked on that. If that fails, you get some sort of warning.
The metadata contains checksums for each rpm. When an rpm is downloaded, that checksum is verified. If that fails, you are warned and the default is to reject that rpm. I don’t think the gpg signature on the rpm is checked in this case.
For a repo without signed metadata, the gpg signature on each package is checked, and you are warned of a mismatch, with the default being to reject that package.
In any case, there seem to be adequate checks. And I have occasionally run into warnings, usually because of a bad mirror. When I see a warning, I abort the update and try again a few hours later. And that usually works.