On Tue, Oct 31, 2023 at 11:57 AM Petr Pisar <ppi...@redhat.com> wrote: > > V Tue, Oct 31, 2023 at 04:32:09PM +0100, Fabio Valentini napsal(a): > > On Tue, Oct 31, 2023 at 4:24 PM Petr Pisar <ppi...@redhat.com> wrote: > > > > > > Hello, > > > > > > DNF5 got a complaint > > > <https://github.com/rpm-software-management/dnf5/issues/991> that "dnf > > > update > > > https://..."; skips verifying package signatures: > > > > > > $ sudo dnf update > > > https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/x86_64/gnome-control-center-45.1-2.fc40.x86_64.rpm > > > > > > https://kojipkgs.fedoraproject.org//packages/gnome-control-center/45.1/2.fc40/data/signed/a15b79cc/noarch/gnome-control-center-filesystem-45.1-2.fc40.noarch.rpm > > > [...] > > > Warning: skipped PGP checks for 2 package(s). > > > > > > A DNF5 developer confirmed that old DNF4 does not verify signatures too. > > > The verification happens only for packages comming from a repository. Why > > > DNF5 > > > looks bad is because it actually prints the warning and thus keeps the > > > user > > > better informed. > > > > > > The nonchecking behavior probably exists to make installing local packages > > > easy. If DNF5 would insist on checking the signatures, Fedora users would > > > have > > > to pass --no-gpgchecks option to their "dnf5" commands to override the new > > > default, or start signing their packages. As always security is not easy. > > > > > > Because this an old behavior and some users probably depend on it, > > > enabling > > > the verification for all cases looks like an abrupt change. > > > > > > I would would like to hear your opinion: Should DNF5 start verifying all > > > packages? Should DNF5 keep ignoring signatures for out-of-repository > > > packages? > > > Or should rather narrow the verification skip to packages from a local > > > file > > > system? Any other options? > > > > I wonder - how would DNF (4 or 5 doesn't matter) know how to check that at > > all? > > I mean, if the package isn't associated with a repository (like > > installing an RPM directly), which GPG key should it even be checked > > against? > > > Against any key already existing in an RPM database (rpm -qa | grep > gpg-pubkey).
Does DNF use the repository to verify GPG sigs now? If so, that seems weird. I would assume they just check against the existing keys in the RPM database, like Petr said. I'm actually a bit concerned about this thread, because I assumed DNF4 and DNF5 would check signatures by default today, and that it would only skip if `--nogpgcheck` was passed as an option. If it sometimes skips the GPG check without that flag, that seems like a serious security bug to me. I would expect the same level of signature verification for both `dnf install mypackage` and `wget mypackage.rpm && dnf localinstall mypackage.rpm`. After all, there is no documented flag to force a GPG signature check, only the flag to omit the check (`--nogpgcheck`). So, users really have to rely on the default behavior of always checking GPG signatures if they want DNF to check them. If DNF is not doing that, that's really bad, because there's no way for users to force it to check them. > > -- Petr _______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
