[tor-bugs] #12871 [RPM packaging]: RPM repo data is not signed and documentation misses repo_gpgcheck
Tor Bug Tracker & Wiki
blackhole at torproject.org
Fri Oct 24 21:41:21 UTC 2014
#12871: RPM repo data is not signed and documentation misses repo_gpgcheck
-------------------------------+----------------------
Reporter: cypherpunks | Owner: hiviah
Type: defect | Status: assigned
Priority: normal | Milestone:
Component: RPM packaging | Version:
Resolution: | Keywords:
Actual Points: | Parent ID:
Points: |
-------------------------------+----------------------
Comment (by hiviah):
Citing from https://lists.torproject.org/pipermail/tor-
dev/2014-October/007661.html :
> It is my opinion that even in the case of HTTPS GPG signatures provide a
> security improvement since (I hope) the private GPG key used to sign the
> repo is less exposed than the wildcard certificate for *.tpo.
The RPM packages are already GPG-signed, the signatures repomd.xml.asc are
already there and can be used. On top of it the repomd.xml* files are
transmitted over TLS. If an attacker just wanted DOS by denying update,
all he has to do is TCP RST (why bother with forging TLS?).
> Could you elaborate on your issue regarding repo_gpgcheck not showing
> fingerprints? (It does show the gpg key fingerprint on a fc20 system
> after adding repo_gpgcheck=1 and running 'yum update' [3]).
This is the case for EL6 at least - once you add repo_gpgcheck=1, it will
only ask if you want to trust key given in gpgkey parameter without
showing fingerprint (with gpgcheck parameter yum does ask if fingerprint
matches, though). I don't feel comfortable telling users to accept an
arbitrary key. It would be easier if I knew which version of yum fixed
this so it could be added into documentation.
--
Ticket URL: <https://trac.torproject.org/projects/tor/ticket/12871#comment:9>
Tor Bug Tracker & Wiki <https://trac.torproject.org/>
The Tor Project: anonymity online
More information about the tor-bugs
mailing list