[Rpm-maint] [rpm-software-management/rpm] RPM signature verification for files from installed packages (Issue #2671)

Panu Matilainen notifications at github.com
Mon Sep 25 07:41:24 UTC 2023


> This results in an ability to verify the integrity of the installed files and whether they have been tampered with because it's relatively easy to modify `rpmdb.sqlite` to make it look like files on the disk are pristine and the system is running normally without any malware, etc.

I don't think you've actually tried that. 

> Here's my proposal how to fix this issue.
> 
> We sign the metadata of the RPM file separately (i.e. the package description, filenames, timestamps, permissions, scripts, etc) and upon installation the metadata gets stored somewhere, even in `rpmdb.sqlite`.

You know, this (header-only signatures) was *the* major feature of rpm v4 format in 2000 :sweat_smile:  
That's right, almost a quarter century ago, and years before my time. Rpm v3 signatures covered both the header and the payload and thus wasn't verifiable after installation, v4 added header-only signatures (and digests) for this very purpose, and that has been in action ever since. Few people ever notice.

If you look at 'rpm -qavv' output, you'll see rpm checking digests and signatures of each package processed. Any failed check will result in loud complaints. By default this happens on each and every rpmdb access you do, including of course 'rpm -Va' . 

The gotcha is that it's possible to effectively *delete* a signature of an installed package, and then adjust a digest to match a modification of the header. There's #811 for that, but if you have sufficient permissions (root) to manipulate the rpmdb at will, then you also have sufficient permissions to disable the enforcing signature checking in configuration. Protecting against a rogue root is tough.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2671#issuecomment-1733093630
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2671/1733093630 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230925/4a0e0e6c/attachment-0001.html>


More information about the Rpm-maint mailing list