On 11/3/25 2:39 PM, Florian Weimer wrote:
* Allison King via devel-announce:
== Summary ==
Change the RPM default package verification mode to enforcing signature
checking, to follow upstream
RPM 6.0 default:
only packages with a verified signature can be installed, unless explicitly
overridden by `--nosignature
` or corresponding API.
Does this impact things like dnf install? This is relevant for
activating third-party repositories. For example, the EPEL instructions
currently contain this:
dnf install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
Yes, this will fail unless the key is first imported, or signature
checking explicitly disabled on the command line. For good reasons, really.
I mean, we are handing root and the keys to our system to a package
downloaded from the internet here. If signatures are skipped, it'll be
checking nothing but the embedded package digests which are trivial to
spoof. What could possibly go wrong?
I think we need something equally convenient to enroll the new signing
key at the same time. It won't be Fedora's.
It needs to be convenient, yes, but it can't be *all* about
convencience. The existing practise is rather dangerous.
rpmfusion.org at least has a whole detailed section about verifying and
importing keys prominently on their front page, in EPEL docs you need to
know to look for it. Hmm, rpmfusion also points us to the fact that
their keys (along with EPEL and other distros) are available from the
distribution-gpg-keys package, which is Fedora signed.
So basically EPEL enablement would be
# dnf install distribution-gpg-keys
# rpmkeys --import /usr/share/distribution-gpg-keys/epel/RPM-GPG-KEY-EPEL-10
# dnf install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
- Panu -
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
