On 11/5/25 5:31 PM, Peter Oliver wrote:
On Wed, 5 Nov 2025, Panu Matilainen wrote:
On 11/3/25 2:39 PM, Florian Weimer wrote:
* Allison King via devel-announce:
== Summary ==
Change the RPM default package verification mode to enforcing
signature
checking, to follow upstream
RPM 6.0 default:
only packages with a verified signature can be installed, unless
explicitly overridden by `--nosignature
` or corresponding API.
Does this impact things like dnf install? This is relevant for
activating third-party repositories. For example, the EPEL
instructions
currently contain this:
dnf install
https://dl.fedoraproject.org/pub/epel/epel-release-latest-10.noarch.rpm
Yes, this will fail unless the key is first imported, or signature
checking explicitly disabled on the command line. For good reasons,
really.
I mean, we are handing root and the keys to our system to a package
downloaded from the internet here. If signatures are skipped, it'll be
checking nothing but the embedded package digests which are trivial to
spoof. What could possibly go wrong?
The argument could be made that if you’re trusting HTTPS to get the key
fingerprints for verification, you may as well trust HTTPS to get the
package containing the keys too.
However, this overlooks the fact that the fingerprints will typically be
on a project’s own website, whereas the package download often redirects
to a random mirror.
HTTPS does not protect you against a package modified on disk. And such
a direct download bypasses all repository-level checksums too.
- Panu -
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
