Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document if delta RPMs are signed #9

Open
DemiMarie opened this issue Feb 4, 2021 · 8 comments
Open

Document if delta RPMs are signed #9

DemiMarie opened this issue Feb 4, 2021 · 8 comments

Comments

@DemiMarie
Copy link

Are delta RPMs signed?
@mlschroe
Copy link
Contributor

mlschroe commented Feb 5, 2021

They are normal rpms with just a different payload, so they can be signed as well. I don't know about Fedora, but SUSE signs the generated delta rpms.

As they completely live outside of rpm I don't see why the rpm project should document something about them.

@DemiMarie
Copy link
Author

The bigger question is whether DNF verifies these signatures.

@marmarek
Copy link

marmarek commented Feb 7, 2021

I've taken some random drpm from Fedora repo: https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm
It is not only not signed, but also package digest doesn't match:

$ rpm -K firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm
firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm: DIGESTS NOT OK

It looks like the header is from the new package (which matches vague description in https://github.com/rpm-software-management/deltarpm/blob/master/README). If that's really the case, the signature in the header can't possibly match the deltarpm payload, because it is different payload than the target rpm package. I think what @DemiMarie asked is whether the format permits a signature check before processing actual payload. My understanding is: it does not.

@DemiMarie
Copy link
Author

Indeed that is what I am asking. If @marmarek is correct, then this is a serious security weakness in the delta RPM format, and delta RPMs should be disabled by default. The same reasoning for RPM Copy on Write applies here.

@mlschroe
Copy link
Contributor

mlschroe commented Feb 8, 2021

The signatures of a delta rpm are in its signature header, that's why they match the deltarpm payload and not the original rpm payload.

The exception is the new RPMTAG_PAYLOADDIGEST/RPMTAG_PAYLOADDIGESTALGO tags that have been added a couple of months ago. Maybe that's what rpm -K complains about... (maybe add the -v option to get more output?) We'd need to tweak them like we do with the payloadcompressor to make them match.

@marmarek
Copy link

marmarek commented Feb 8, 2021

Yes, it seems so:

firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm:
    Payload SHA256 ALT digest: BAD (Expected df190725901ecc553c9002649c70c95adb9a12bd934f7bf1d9e2fb5458b45fb8 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    Payload SHA256 digest: BAD (Expected 42d6bbdfcdbbd4deb4211b1bcc565454ccc751648f051933ed25e26bcf3a56c9 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    MD5 digest: OK

@DemiMarie
Copy link
Author

@mlschroe can we add signature verification functionality to the deltarpm tool, and turn it on by default? I can’t think of many legit use cases for unsigned delta RPMs.

@mlschroe
Copy link
Contributor

mlschroe commented Feb 9, 2021

You're supposed to use rpm to check the signature of the delta rpm.

(Also note that the repodata usually contains a checksum for the delta rpm, so it's more like how much you trust the metadata.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@marmarek @mlschroe @DemiMarie