-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Sat, Jun 18, 2016 at 01:41:56AM -0700, Andrew David Wong wrote:
> On 2016-06-17 21:22, Andrew David Wong wrote:
> > On 2016-06-17 18:02, raahe...@gmail.com wrote:
> >> But what if when it says it can't verify key ignatures possibly?
> >> Will it automatically hit Y to continue? I wouldn't like that.
> >> Or what about any possible error messages? I still like to see
> >> the text on the screen.
> >
> >
> > The last time this question came up, the answer was "no, it would
> > not automatically say 'yes' to installing a package whose signature
> > cannot be verified."
> >
> > If that turns out to be false, then I'll have to assume that all of
> > my templates are compromised.
> >
>
> I decided to test this, just to make sure. Here's how I tested:
>
> 1. Installed fedora-23-minimal from the Qubes repos.
>
> 2. Inside fedora-23-minimal, renamed all the keys in /etc/pki/rpm-gpg.
>
> 3. Erased all keys that had been imported in rpm with this command:
>
> #rpm -e --allmatches gpg-pubkey-{hash}
>
> (Repeated for each gpg-pubkey-{hash}.)
>
> 4. From dom0, ran this command:
>
> $ qvm-run -a -p -u root fedora-23-minimal 'dnf -y upgrade'
>
> 5. Received this output from the template during the attempted upgrade:
>
> warning: /var/cache/dnf/updates-e042e478e0621ea6/packages/sqlite-
> libs-3.11.0-3.fc23.x86_64.rpm: Header V3 RSA/SHA256 Signature, key
> ID 34ec9cba: NOKEY
>
> Curl error (37): Couldn't read a file:// file for file:///etc
> /pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64 [Couldn't open file
> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64]
>
> So, it looks like using the '-y' (assumeyes) option is indeed safe as
> far as PGP/GPG signature verification on packages is concerned.
>
> If anyone has reason to suspect otherwise, or sees a flaw in this
> test, please do let us know.
Yes, it's safe for yum/dnf. It will not allow unsigned/wrong signed
packages to be installed unless specifically allowed with --nogpgcheck
(which you should not use!). Even -y isn't enough to force unsigned
package installation.
Even in interactive mode it isn't possible to install unsigned packages
without --nogpgcheck.
- --
Best Regards,
Marek Marczykowski-Górecki
Invisible Things Lab
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQEcBAEBCAAGBQJXZSrIAAoJENuP0xzK19csMwYH/iU7hU4u6bUKp+4DAnBtuca7
hXrQZOVfDOz6PetmITTewixaQLM5O0SYGc972aJdLPmnXuLLws5LFbHVCVtNEejC
FM6XNVK8+A1wCpCYFiURnrCy4eAUbgBxRp2eQ/vvLKyEuDQ+U53862QFVK0q/aC8
OFpHAXzb2Q9TRlh6VdfbnWiRKYjLhIacPIF36s1LtwtRTVyzfue8ELNlzl0QAfKp
wy0Hqdc7zmCp1qUwEw+dUUiZwsvuOmTX+S/AamFsNGy90dAjspHQb9Gh8jJKz9R2
HIPEqjANhtcEuqNn7coOuFxL0/MW9eY1qgoGAYcDEySUs95RfQLuw9Rzy76kUZw=
=WvdS
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/20160618110440.GM30119%40mail-itl.
For more options, visit https://groups.google.com/d/optout.
