Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check the validity of hash algo #3416

Closed
wants to merge 1 commit into from
Closed

Check the validity of hash algo #3416

wants to merge 1 commit into from

Conversation

JetXujing
Copy link
Contributor

If an RPM package has been signed and the hash algorithm is not supported by the current version, no error is reported during the verification of the RPM package, and "$?" return 0. Fix this problem.

@JetXujing JetXujing requested a review from a team as a code owner October 30, 2024 10:10
@JetXujing JetXujing requested review from pmatilai and removed request for a team October 30, 2024 10:10
@JetXujing
Check the validity of hash algo
8a22a51 
If an RPM package has been signed and the hash algorithm is not
supported by the current version, no error is reported during the
verification of the RPM package, and "$?" return 0. Fix this problem.
@pmatilai
Copy link
Member

NAK, this is stuff we do NOT want to know about (but historically, know too much).

An unsupported signature algorithm will cause signature checking to fail, and that's all we care about.

@pmatilai
Copy link
Member

What verification are you talking about, specifically? The term is overloaded in multiple places around rpm...

If an unknown algorithm causes us to give an OK to an unverifiable signature then we obviously do have a rather bug someplace.

@JetXujing
Copy link
Contributor Author

What verification are you talking about, specifically? The term is overloaded in multiple places around rpm...

If an unknown algorithm causes us to give an OK to an unverifiable signature then we obviously do have a rather bug someplace.

If xxx.rpm has been signed (Assume that the hash algorithm is hash_algo1 and the encryption and decryption algorithm is ecdsa.) , and the current RPM does not support hash_algo1. Run the rpm -Kv xxx.rpm command, no error message is displayed and the value of $? is 0.

@pmatilai
Copy link
Member

pmatilai commented Oct 30, 2024
edited
Loading

Oh, right: an unsupported algorithm will be treated equally to non-existent ones, and if it's a signature the package will simply be considered unsigned. And, in the traditional configuration a signature is not required, only digest verification is required by default.

Add this to the verify command and it will fail because there's no positive verification of the signature:
--define "_pkgverify_level signature"

The unsupported digest behavior is to permit the package to be verified by some other means, and that's even more important going forward as we add support for multiple signatures per package. It's is a dark corner for sure and non-obvious behavior when you first encounter it, but it's something we can't change without breaking other things.

It'll be fixed by #1573.

@pmatilai pmatilai closed this Oct 30, 2024
@pmatilai
Copy link
Member

pmatilai commented Oct 30, 2024
edited
Loading

In the meanwhile: if you can do so in your environment, turning on enforcing signature checking (that _pkgverify_level thing) is very much recommended, that's supported since 4.14.2. It's just that so many workflows are based around the traditional no-signature behavior that changing the upstream default is damn hard.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@pmatilai pmatilai Awaiting requested review from pmatilai pmatilai is a code owner automatically assigned from rpm-software-management/rpm-team

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@JetXujing @pmatilai