View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0018068 | CentOS-8 | general | public | 2021-02-15 18:27 | 2021-02-17 14:06 |
Reporter | DavidJohnston | Assigned To | |||
Priority | normal | Severity | minor | Reproducibility | always |
Status | confirmed | Resolution | open | ||
Product Version | 8.3.2011 | ||||
Summary | 0018068: DNF handles repo_gpgcheck=1 incorrectly. | ||||
Description | DNF handles repo_gpgcheck=1 incorrectly. DNF should use GPG for key management. GPG is designed for the task. DNF repo_gpgcheck should check the signature against keys in the user's keyring, or in a system keyring. DNF currently manages keys itself, and does so in ways that are arguably unsafe. I see 3 issues with the current behavior: 1. dnf stores a separate copy of the key for each repo in the cache 2. dnf -y update will add keys without prompting the user 3. clearing the dnf cache drops the keys, exposing the system to? | ||||
Steps To Reproduce | STEPS TO REPRODUCE (USE CASE 1) ### Note that in this example, all four repos are signed with the same key. ### All commands are run as root in this example. # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf update ## RESULT: Operator is asked to accept the key 4 times, waiting for each repo to load. ## RESULT: This wastes operator time and makes automation difficult STEPS TO REPRODUCE (USE CASE 2) ### Clear the cache for this test # rm -Rf /var/cache/dnf/* /var/cache/dnf/.gpgkeyschecked.yum # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update ## RESULT: DNF accepts the keys without prompting STEPS TO REPRODUCE (USE CASE 3) ### Set up the test # rm -Rf /var/cache/dnf/* /var/cache/dnf/.gpgkeyschecked.yum # dnf config-manager --save --setopt=*.repo_gpgcheck=1 appstream baseos extras powertools # dnf -y update ### Demonstrate that dnf has the keys (should not prompt the user): # dnf update ### The real test starts here. An operator has deleted the cache for some reason. # rm -Rf /var/cache/dnf/* # dnf update ## RESULT: DNF prompts the user to accept the same key 4 times. | ||||
Additional Information | dnf stores the gpg keys under /var/cache/dnf, for example: /var/cache/dnf/extras-2770d521ba03e231/pubring/trustdb.gpg /var/cache/dnf/powertools-25a6a2b331e53e98/pubring/trustdb.gpg /var/cache/dnf/baseos-929b586ef1f72f69/pubring/trustdb.gpg /var/cache/dnf/appstream-a520ed22b0a8a736/pubring/trustdb.gpg | ||||
Tags | No tags attached. | ||||
Date Modified | Username | Field | Change |
---|---|---|---|
2021-02-15 18:27 | DavidJohnston | New Issue | |
2021-02-17 01:08 | toracat | Status | new => acknowledged |
2021-02-17 14:06 | jcpunk | Status | acknowledged => confirmed |
2021-02-17 14:06 | jcpunk | Note Added: 0038251 |