Hi everyone,
While setting up a personal RPM repository, I noticed that the repositories configured in dom0 do not use the repo_gpgcheck
option.
Reading through the update command output, it seems indeed that no signature check is performed on the repos’ metadata. I am wondering why
As far as I can tell the repo_gpgcheck
option seems supported by DNF.
That option enables checking the signature of the repomd.xml
file in the repository. Because that file lists checksums for all the other metadata files, it allows to confirm who updated the repository.
A few things come to my mind:
-
The packages themselves are signed. Because those signatures are verified (
gpgcheck
is enabled), the packages weren’t modified and it doesn’t really matter who put them in the repo as long as the key that signed them can be trusted. Am I understanding this correctly? -
That seems reasonable to me in the case of a repository of individual packages, however in the case of a distribution like Fedora 32 or Qubes OS R4.0, couldn’t it be problematic if someone modified the versions of the packages available to allow a series of vulnerabilities to be exploited? Or is that too far-fetched in practice?
-
Would there be any drawbacks to actually enable
repo_gpgcheck
for my personal repository? (Signing therepomd.xml
file is trivial.)