Why is repo_gpgcheck not used when updating packages?

Hi everyone,

While setting up a personal RPM repository, I noticed that the repositories configured in dom0 do not use the repo_gpgcheck option.

Reading through the update command output, it seems indeed that no signature check is performed on the repos’ metadata. I am wondering why :slightly_smiling_face:

As far as I can tell the repo_gpgcheck option seems supported by DNF.

That option enables checking the signature of the repomd.xml file in the repository. Because that file lists checksums for all the other metadata files, it allows to confirm who updated the repository.

A few things come to my mind:

  1. The packages themselves are signed. Because those signatures are verified (gpgcheck is enabled), the packages weren’t modified and it doesn’t really matter who put them in the repo as long as the key that signed them can be trusted. Am I understanding this correctly?

  2. That seems reasonable to me in the case of a repository of individual packages, however in the case of a distribution like Fedora 32 or Qubes OS R4.0, couldn’t it be problematic if someone modified the versions of the packages available to allow a series of vulnerabilities to be exploited? Or is that too far-fetched in practice?

  3. Would there be any drawbacks to actually enable repo_gpgcheck for my personal repository? (Signing the repomd.xml file is trivial.)

IIRC there’s an open issue on github about that. Please check there.

1 Like

Yes, there was! Signed metadata verification is broken for non-Fedora-based UpdateVMs (e.g. sys-whonix). Thank you @tripleh!

I deduce from there that:

  1. Was not the reason why the feature was not used. It just happens to be broken.

  2. Is probably not that far-fetched?

  3. Except for breaking updates via sys-whonix, there shouldn’t be any drawbacks to enabling repo_gpgcheck. Quite the opposite.

Please let me know if any of these conclusions is mistaken! :slightly_smiling_face:

Isn’t the problem as well that Fedora’s repository metadata is not signed?

:bulb: That’s a good point. I hadn’t checked them. The Qubes OS repositories metadata is signed, not Fedora’s.