[Rpm-maint] [rpm-software-management/rpm] RPM signature verification for files from installed packages (Issue #2671)

Artem S. Tashkinov notifications at github.com
Mon Sep 18 20:41:36 UTC 2023


Let's talk about a major security issue which I think is very important, yet is not currently solved in any shape or form.

RPM packages can be signed, and Fedora and RHEL packages are.

The issue however is neither Fedora, nor RHEL keeps intermediate update packages on the server, so it's quite a common configuration to have packages are installed where the source Fedora/RHEL packages cannot be downloaded or found anywhere on the Internet since they have been deprecated and replaced with newer updates.

This results in an ability to verify the integrity of the installed files and whether they have been tampered with because it's relatively easy to modify `rpmdb.sqlite` to make it look like files on the disk are pristine and the system is running normally without any malware, etc.

Here's my proposal how to fix this issue.

We sign the metadata of the RPM file separately (i.e. the package description, filenames, timestamps, permissions, scripts, etc) and upon installation the metadata gets stored somewhere, even in `rpmdb.sqlite`.

Then it becomes trivial to verify whether your system still runs signed packages even when their source binaries have long been lost/deprecated/whatever.

Of course this can be "solved" by enabling `keepcache` but it comes with its drawbacks, i.e. the need to keep stale unneeded update files (i.e. the kernel package in Fedora is updated almost every week, so we are talking about 52 kernel packages every year which is a ton of space).

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2671
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2671 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230918/59a5e692/attachment.html>


More information about the Rpm-maint mailing list