Why is repo_gpgcheck not used when updating packages?

gonzalo-bulnes · February 15, 2021, 12:06pm

Hi everyone,

While setting up a personal RPM repository, I noticed that the repositories configured in dom0 do not use the repo_gpgcheck option.

Reading through the update command output, it seems indeed that no signature check is performed on the repos’ metadata. I am wondering why

As far as I can tell the repo_gpgcheck option seems supported by DNF.

That option enables checking the signature of the repomd.xml file in the repository. Because that file lists checksums for all the other metadata files, it allows to confirm who updated the repository.

A few things come to my mind:

The packages themselves are signed. Because those signatures are verified (gpgcheck is enabled), the packages weren’t modified and it doesn’t really matter who put them in the repo as long as the key that signed them can be trusted. Am I understanding this correctly?
That seems reasonable to me in the case of a repository of individual packages, however in the case of a distribution like Fedora 32 or Qubes OS R4.0, couldn’t it be problematic if someone modified the versions of the packages available to allow a series of vulnerabilities to be exploited? Or is that too far-fetched in practice?
Would there be any drawbacks to actually enable repo_gpgcheck for my personal repository? (Signing the repomd.xml file is trivial.)

tripleh · February 15, 2021, 8:46pm

IIRC there’s an open issue on github about that. Please check there.

gonzalo-bulnes · February 16, 2021, 4:40am

Yes, there was! Signed metadata verification is broken for non-Fedora-based UpdateVMs (e.g. sys-whonix). Thank you @tripleh!

I deduce from there that:

Was not the reason why the feature was not used. It just happens to be broken.
Is probably not that far-fetched?
Except for breaking updates via sys-whonix, there shouldn’t be any drawbacks to enabling repo_gpgcheck. Quite the opposite.

Please let me know if any of these conclusions is mistaken!

427F11FD0FAA4B080123 · February 16, 2021, 6:13am

Isn’t the problem as well that Fedora’s repository metadata is not signed?

gonzalo-bulnes · February 16, 2021, 7:18am

That’s a good point. I hadn’t checked them. The Qubes OS repositories metadata is signed, not Fedora’s.

adrelanos · June 13, 2022, 11:08am

github.com/QubesOS/qubes-issues

Fedora template: work to get metadata signing in place

opened 09:59PM - 01 Mar 21 UTC

DemiMarie

T: enhancement C: Fedora security P: default

**Qubes OS version (if applicable)** `Qubes release 4.0 (R4.0)` **Affected… component(s) or functionality (if applicable)** Fedora templates **Brief summary** We should work with Fedora to get them to sign their metadata. This is likely blocked on the stabilization of DNF 5, as DNF 4 has numerous bugs regarding metadata signing. **Additional context** There was an RCE in librepo that this would have mitigated. As per https://github.com/rpm-software-management/librepo/issues/231#issuecomment-787918202 the issues in DNF are unlikely to be fixed in DNF 4. **Relevant [documentation](https://www.qubes-os.org/doc/) you've consulted** **Related, [non-duplicate](https://www.qubes-os.org/doc/reporting-bugs/#new-issues-should-not-be-duplicates-of-existing-issues) issues** #6177 tracked signing of metadata for QubesOS.