rpm --nosignature reversed meaning

Jeffrey Johnson n3npq at me.com
Tue Aug 30 14:01:53 CEST 2016 

> On Aug 30, 2016, at 7:47 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:
> 
>>> Is there any macro/option that prevents me from installing any unsigned/unverified package?
>> 
>> The question as asked cannot be answered: all (RPM5 built) packages are signed
>> and (w/o ???nosignatures) the signature will be verified.
>> 
>>> Warning is not enough, I want to be totally sure the verification was done and succeeded.
>> 
>> All BAD signatures will stop RPM (unless ???no signatures has been used).
> 
> And how about rejecting unsigned packages? At least without --force or sth.
> 

Um, MANDATORY signature verification is where this started, Perhaps
it isn’t clear that that means
	No unsigned packages.

> Without this an attacker might put unsigned package ...and that's it.

And even with MANDATORY signatures, adding —nosignature == that’s it.
One must VERIFY the signature as well as include.

> 
> With keyservers enabled, an attacked might sign a package with it's own
> malicious key ...and that's it (that's another reason why I disable his)

Nope: rpm uses a non-repudiable signature, basically a new key pair is generated for
every build, packages are signed with pubkey included, and the private key is discarded.

The non-repudiable signature (as well as the attacks and protocols to mitigate)
are described here:
	http://cacr.uwaterloo.ca/hac/about/chap13.pdf <http://cacr.uwaterloo.ca/hac/about/chap13.pdf>
in section 13.8.2 “Non-repudiation and notarization of digital signatures” on p582

> In other words: I want to be sure that each and every package is signed
> with one of the locked keys. I can lock keys (disable keyservers), but
> still need to enforce using *any* key somehow.
> 

Resign all packages with whatever key you want before installing is
likely the easiest path to your goal.

My RPM problem moving to MANDATORY signatures needs non-repudiable
signatures solely to GUARANTEE that some signature ALWAYS exists.

Its taken YEARS to get to the point where I can remove —nosignature and the
goose-loosey best effort of warning (but not erring) with unsigned packages or
missing pub keys.

73 de Jeff
> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list