rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Sun Sep 11 07:31:01 CEST 2016 

On Sat, Sep 10, 2016 at 23:22:39 -0400, Jeffrey Johnson wrote:

> The better patch (headed toward elimination of ???no signature disablers)
> is to wrap the tests on the ???query path with
> 
> 	#if defined(SUPPORT_NOSIGNATURES)
> 	???
> 	#endif
> 
> and then rip out the ???nosignature option entirely.

Well, consider I got some unknown.rpm. I do want it to be verified by
default during query, however if it happens that signatures do not match
I need an option to analyze (potentially malicious) content. For the very
beginning, I would check the first possibility - that I simply do not
have imported appropriate key. That unknown.rpm might be some 3rd party
software downloaded from vendor I do trust in sense of not being
malicious, but I do not trust on proper packaging or compatibility
(%pre/%post scripts quality, file locations, UIDs/GIDs etc.). So, BEFORE
importing the key, I need to inspect this package. As rpm2cpio won't
extract the scripts nor show me the site URL pointer, I can't imagine
dropping --nosignature option from the --query mode.

Then, while installing this particular package, you can't force me to
trust GPG key used, as *IN GENERAL* I might NOT TRUST this vendor. The
fact, that I'm forced to use some of their software, doesn't meen I ever
want to install anything else they've signed. Without --nosignature, I
would have to import the key, install package and remove the key. Or, as
you've mentioned before, resign the package with my own key, provided
there are some REALLY EASY ways of doing it (i.e. single command that
generates temporary key and applies it to the package). However, BEFORE
resign such package, I need the tool to query the contents and analyze
it.

Thus, as long as ripping off --nosignature seems to be the right way for
Linux distribution, it seems to ignore the existence of 3rd party
software that is being used in real world.

The usage scenario rpm has to allow:

1. rpm -qp unknown.rpm -> signature verification failed,
2. rpm -qpilv --scripts --nosignature unknown.rpm -> analyze
3. rpm2cpio ... -> content analyze IF required (trusting the vendor)
3. rpm --resign unknown.rpm (not with MY key, but some generated)
4. rpm -i unknown.rpm


Consider web browsers - with Let's Encrypt initiative I can imagine,
that in several years some would start to disable various functions over
non-secure channels (e.g. cookies and POST over HTTP). As this is
gradual process with huge userbase behind, it can crawl towards
HTTPS-only forcing web service providers to adjust.

However, with relatively small rpm userbase (as a part of relatively
small Linux users), with even less users of 3rd party software, you
can't expect providers would adapt. And that's apart from the trust issue
I've mentioned above (that I do NOT trust them in general, just have to
use SOME of their sw).

-- 
Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list