-
Notifications
You must be signed in to change notification settings - Fork 94
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
dnf5 install/upgrade/... --downloadonly and dnf5 download should check package signatures #1985
Comments
dnf5 install --downloadonly does not verifies signatures, so use the old one for the time being. Workaround for rpm-software-management/dnf5#1985
dnf5 install --downloadonly does not verifies signatures, so use the old one for the time being. Workaround for rpm-software-management/dnf5#1985
In my opinion this is a feature. What's the point in verifying the signatures twice? Once at download and later at installation. |
The current (new) behavior of --downloadonly easily lead to a situation where signatures are not verified at all, which is clearly worse. This is especially the case when somebody relied on previous behavior for verifying signatures - dnf5 is supposed to be a drop-in replacement, and when you call it via simply "dnf" name, you may even not notice that your script suddenly skip signature verification completely. |
DNF5 verifies signatures at installation, i.e. when passing the packages to RPM library which performs the RPM transaction. Can you please show me where DNF5 does not verify signatures which are being installed? DNF5 is not a bug-compatible clone of DNF4. There are certainly some differences and some are deliberate. Like this one. We could add a feature to DNF5 to verify signature at download. But I don't see a reason why it should be enabled by default. Please show us the attack vector so we can understand why it is necessary to check signatures with "dnf install --downloadonly". |
Well, then IMHO
Sure, imagine you have an offline system where you want to install some packages/updates. You use another (online) system to download packages and then copy them on on USB stick. You have a set of scripts for that, and they used to correctly verify signatures with previous DNF version. After updating from Fedora 40 to Fedora 41, all still appear to work without errors, so you wouldn't suspect the update actually introduced a security hole... For simplicity, this is how the two sides could look like in one go:
It does warn me that signature was not verified at the install stage, but since the download stage was clean (and used to verify signature) one can reasonably assume all is fine. PS The DNF4 version could use --destdir to avoid copying files from DNF cache, but that isn't implemented in DNF5. |
In short you used "dnf download" for verifying signatures and then you neglected the verification when installing them from a local file system. Your workflow has a flaw that tampering the package after the download won't be detected. I recommend you setting "localpkg_gpgcheck" to true on your final system. I can see that "dnf download" or "dnf install --downloadonly" could be used as a tool for checking the signatures. I think we can enable the verification in that case. I believe that "dnf install" without the "--downloadonly" option should keep not verifying the signatures. |
What should happen to packages that fails signature verification? Should those be handled the same as failing checksum against repo metadata? AFAIK many package managers will remove such failing packages instead of keeping them in cache, so it gets re-downloaded next time. Should DNF5 do the same?
Generally I agree this is a good idea, but with packages coming from different repositories with different keys, and some from local repo with gpgcheck=0, it's tricky. |
If the verification fails, I would keep the packages there, but print an error and exit with a non-zero code. That way the user can inspect the failed packages. Actively removing the packages is another option. Then the user would have to use --no-gpgchecks option to prevent from the infinite downloading. |
This is a bizarre exchange, and makes me unwilling to trust dnf5. Maybe I am misunderstanding...
A drastic change of security assurance given by a command should surely lead to an unambiguous change of the command name... --downloadonly-without-signature-verification, for example, even with a differently and unambiguously named storage location. And keep the functionality unchanged on the existing command. |
It looks like dnf5 checks signatures only just before installing packages, but not after downloading them. dnf4 verified signatures just after downloading. This has significant security implication for
--downloadonly
option! Thankfully I have a CI check for this case...Reproducer:
The text was updated successfully, but these errors were encountered: