[opensuse-security] RPM signature verification
Hi there, does RPM need to run gpg to verify signatures or is this hardcoded directly into RPM? What is the default behaviour of rpm if signature verification fails for whatever reason, does rpm abort installation of the package? thanx -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Wed, Oct 05, 2016 at 11:03:28PM +0200, Malte Gell wrote:
Hi there,
does RPM need to run gpg to verify signatures or is this hardcoded directly into RPM?
rpm has GPG signature verification built-in.
What is the default behaviour of rpm if signature verification fails for whatever reason, does rpm abort installation of the package?
Depends. By default libzypp (and so zypper/yast2) check the YUM repository for signatures and follows the SHA256 checksums for the content including the RPMs. The RPMs checksum is not checked. New libzypp versions can however check RPM signatures instead of repository signatures. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 10/06/2016 02:53 AM, Marcus Meissner wrote:
New libzypp versions can however check RPM signatures instead of repository signatures.
You say "CAN". a) when you say 'new', what version does that feature start with b) is that something you set in the config file, the command line for the CLI, or a check-box in Yast? -- The scientific name for an animal that doesn't either run from or fight its enemies is lunch. -- Michael Friedman -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Oct 06, 2016 at 06:56:50AM -0400, Anton Aylward wrote:
On 10/06/2016 02:53 AM, Marcus Meissner wrote:
New libzypp versions can however check RPM signatures instead of repository signatures.
You say "CAN".
a) when you say 'new', what version does that feature start with
b) is that something you set in the config file, the command line for the CLI, or a check-box in Yast?
In the zypp.conf file, and overwritten in the repository configs. According to the changelog it was added in libzypp 15.2.0 - zypp.conf: Add config values for gpgcheck, repo_gpgcheck and pkg_gpgcheck. The default behavior 'gpgcheck=On' will automatically turn on the gpg signature check for packages downloaded from repository with unsigned metadata. If the repo metadata are signed, a faster comparison via checksums is done. By explicitly setting repo_gpgcheck or pkg_gpgcheck you can enforce the signature check of repository metadata or downloaded packages to be always performed. Those defaults can be overwritten per repository. (FATE#314603) - version 15.2.0 (2) So appeared with openSUSE Leap 42.1. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On 10/06/2016 07:06 AM, Marcus Meissner wrote:
According to the changelog it was added in libzypp 15.2.0
....
So appeared with openSUSE Leap 42.1.
Will that be backported to 13.1, 13.2, Tumbleweed, etc etc? -- For ages, a deadly conflict has been waged between a few brave men and women of thought and genius upon the one side, and the great ignorant religious mass on the other. This is the war between Science and Faith. The few have appealed to reason, to honor, to law, to freedom, to the known, and to happiness here in this world. The many have appealed to prejudice, to fear, to miracle, to slavery, to the unknown, and to misery hereafter. The few have said "Think" The many have said "Believe!" --Robert Ingersoll (Gods) -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
On Thu, Oct 06, 2016 at 07:31:11AM -0400, Anton Aylward wrote:
On 10/06/2016 07:06 AM, Marcus Meissner wrote:
According to the changelog it was added in libzypp 15.2.0
....
So appeared with openSUSE Leap 42.1.
Will that be backported to 13.1, 13.2, Tumbleweed, etc etc?
Tumbleweed has a newer libzypp, the older ones will not get it. (13.2 has 3 months lifetime left, not sure about 13.1) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org
participants (3)
-
Anton Aylward -
Malte Gell -
Marcus Meissner