On 7/31/19 11:09 AM, Florian Weimer wrote: > * Jason L. Tibbitts, III: > >>>>>>> "FW" == Florian Weimer <fwei...@redhat.com> writes: >> >> FW> At one point, there was a verified hash chain from the https:// >> FW> metalink service, to the repository metadata, down to individual >> FW> packages. Any tampering was detected then. >> >> I understand that the metalink contains enough information to verify the >> returnes repomd.xml files, but I guess I don't really know if there's >> enough data to chase that down to the checksum of every file that's ever >> expected to be on a mirror. > > repomd.xml has hashes for primary.xml etc., and primary.xml contains > digests of the RPM files. In theory, it can all be checked.
Yes, it's all checked and if tampered with would fail. You get the metalink via https from our mirrorlist containers running on our proxies. This metalink has in it a list of mirrors that the checksums for the repomd.xml file that is valid. You go to one of those mirrors. If repomd.xml was tampered with, dnf will call it broken and go on. If someone tampers with packages they would not match the other checksums in the repomd.xml and be treated as corrupt. If you are using metalink and not mirrorlist or pointing directly to a mirror, you should be safe. > At one point, RPM wrote unchecked file contents to disk, leading to > vulnerabilities such as CVE-2013-6435. At the time, it was not possible > to teach RPM to verify the data before writing it. > >> If it is, then great, though signatures still have value because there >> are other ways to get RPMs than letting dnf hit the mirror network. > > I think dnf only performs signature checking if the RPMs are downloaded > from repositories. Yep. I am pretty sure that is the case. kevin
signature.asc
Description: OpenPGP digital signature
_______________________________________________ devel mailing list -- devel@lists.fedoraproject.org To unsubscribe send an email to devel-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org
