rpm-ostree

keremet/rpm-ostree

Fork 0

Commit Graph

Author	SHA1	Message	Date
Colin Walters	66425c3161	core: Do GPG verification before importing While reading a recent conversation about GPG checking at treecompose time, I had a sudden thought - were we actually doing verification client side? Turned out, we aren't. That happens as part of `dnf_transaction_commit()` which we don't use. That function verifies every package at one go, but for us I think it's better to do it before "importing". We shouldn't have untrusted bits that we've unpacked (they might have suid binaries, for one thing). This is an embarassing problem, but it's worth emphasizing that everyone should be retrieving repodata at a minimum over TLS, which sets a baseline. On RHEL, we already do pinned TLS, and there are discussions about extending that elsewhere. See: https://bugzilla.redhat.com/show_bug.cgi?id=1422157 Closes: #656 Approved by: jlebon	2017-03-06 15:19:43 +00:00

Author

SHA1

Message

Date

Colin Walters

66425c3161

core: Do GPG verification before importing

While reading a recent conversation about GPG checking at treecompose
time, I had a sudden thought - were we actually doing verification
client side?  Turned out, we aren't.  That happens as part of
`dnf_transaction_commit()` which we don't use.

That function verifies every package at one go, but for us I think it's better
to do it before "importing". We shouldn't have untrusted bits that we've
unpacked (they might have suid binaries, for one thing).

This is an embarassing problem, but it's worth emphasizing that everyone should
be retrieving repodata at a minimum over TLS, which sets a baseline. On RHEL, we
already do pinned TLS, and there are discussions about extending that elsewhere.

See: https://bugzilla.redhat.com/show_bug.cgi?id=1422157

Closes: #656
Approved by: jlebon

2017-03-06 15:19:43 +00:00

1 Commits