On Wed, 5 Nov 2025, Panu Matilainen wrote:
On 11/3/25 2:39 PM, Florian Weimer wrote:
* Allison King via devel-announce:
== Summary ==
Change the RPM default package verification mode to enforcing signature
checking, to follow upstream
RPM 6.0 default:
only packages with a verified signature can be installed, unless
explicitly overridden by `--nosignature
` or corresponding API.
Does this impact things like dnf install? This is relevant for
activating third-party repositories. For example, the EPEL instructions
currently contain this:
dnf install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
Yes, this will fail unless the key is first imported, or signature checking
explicitly disabled on the command line. For good reasons, really.
I mean, we are handing root and the keys to our system to a package
downloaded from the internet here. If signatures are skipped, it'll be
checking nothing but the embedded package digests which are trivial to spoof.
What could possibly go wrong?
The argument could be made that if you’re trusting HTTPS to get the key
fingerprints for verification, you may as well trust HTTPS to get the package
containing the keys too.
However, this overlooks the fact that the fingerprints will typically be on a
project’s own website, whereas the package download often redirects to a random
mirror.
--
Peter Oliver
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
