Why does rpmfusion recommend the nogpgcheck switch?

The name of the pictureThe name of the pictureThe name of the pictureClash Royale CLAN TAG#URR8PPP











up vote
0
down vote

favorite












See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/



Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?










share|improve this question

























    up vote
    0
    down vote

    favorite












    See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/



    Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?










    share|improve this question























      up vote
      0
      down vote

      favorite









      up vote
      0
      down vote

      favorite











      See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/



      Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?










      share|improve this question













      See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/



      Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?







      centos rhel security rpm gpg






      share|improve this question













      share|improve this question











      share|improve this question




      share|improve this question










      asked Aug 7 at 8:11









      asd

      1




      1




















          1 Answer
          1






          active

          oldest

          votes

















          up vote
          0
          down vote













          That's a a step to break the initial chicken and egg trust problem by the packaging system.



          There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).



          Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).



          An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:



          # rpm -qlp rpmfusion-free-release-7.noarch.rpm 
          warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
          /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
          /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
          /etc/yum.repos.d/rpmfusion-free-updates.repo


          Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.



          So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.



          It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.



          Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.



          Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.






          share|improve this answer




















          • Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
            – msuchy
            Aug 8 at 15:25










          Your Answer







          StackExchange.ready(function()
          var channelOptions =
          tags: "".split(" "),
          id: "106"
          ;
          initTagRenderer("".split(" "), "".split(" "), channelOptions);

          StackExchange.using("externalEditor", function()
          // Have to fire editor after snippets, if snippets enabled
          if (StackExchange.settings.snippets.snippetsEnabled)
          StackExchange.using("snippets", function()
          createEditor();
          );

          else
          createEditor();

          );

          function createEditor()
          StackExchange.prepareEditor(
          heartbeatType: 'answer',
          convertImagesToLinks: false,
          noModals: false,
          showLowRepImageUploadWarning: true,
          reputationToPostImages: null,
          bindNavPrevention: true,
          postfix: "",
          onDemand: true,
          discardSelector: ".discard-answer"
          ,immediatelyShowMarkdownHelp:true
          );



          );













           

          draft saved


          draft discarded


















          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460995%2fwhy-does-rpmfusion-recommend-the-nogpgcheck-switch%23new-answer', 'question_page');

          );

          Post as a guest






























          1 Answer
          1






          active

          oldest

          votes








          1 Answer
          1






          active

          oldest

          votes









          active

          oldest

          votes






          active

          oldest

          votes








          up vote
          0
          down vote













          That's a a step to break the initial chicken and egg trust problem by the packaging system.



          There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).



          Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).



          An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:



          # rpm -qlp rpmfusion-free-release-7.noarch.rpm 
          warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
          /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
          /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
          /etc/yum.repos.d/rpmfusion-free-updates.repo


          Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.



          So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.



          It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.



          Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.



          Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.






          share|improve this answer




















          • Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
            – msuchy
            Aug 8 at 15:25














          up vote
          0
          down vote













          That's a a step to break the initial chicken and egg trust problem by the packaging system.



          There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).



          Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).



          An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:



          # rpm -qlp rpmfusion-free-release-7.noarch.rpm 
          warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
          /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
          /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
          /etc/yum.repos.d/rpmfusion-free-updates.repo


          Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.



          So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.



          It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.



          Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.



          Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.






          share|improve this answer




















          • Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
            – msuchy
            Aug 8 at 15:25












          up vote
          0
          down vote










          up vote
          0
          down vote









          That's a a step to break the initial chicken and egg trust problem by the packaging system.



          There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).



          Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).



          An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:



          # rpm -qlp rpmfusion-free-release-7.noarch.rpm 
          warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
          /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
          /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
          /etc/yum.repos.d/rpmfusion-free-updates.repo


          Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.



          So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.



          It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.



          Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.



          Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.






          share|improve this answer












          That's a a step to break the initial chicken and egg trust problem by the packaging system.



          There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).



          Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).



          An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:



          # rpm -qlp rpmfusion-free-release-7.noarch.rpm 
          warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
          /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
          /etc/yum.repos.d/rpmfusion-free-updates-testing.repo
          /etc/yum.repos.d/rpmfusion-free-updates.repo


          Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.



          So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.



          It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.



          Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.



          Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.







          share|improve this answer












          share|improve this answer



          share|improve this answer










          answered Aug 7 at 17:48









          A.B

          3,5001621




          3,5001621











          • Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
            – msuchy
            Aug 8 at 15:25
















          • Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
            – msuchy
            Aug 8 at 15:25















          Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
          – msuchy
          Aug 8 at 15:25




          Note that you can import the gpg keys trusted way: dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.
          – msuchy
          Aug 8 at 15:25

















           

          draft saved


          draft discarded















































           


          draft saved


          draft discarded














          StackExchange.ready(
          function ()
          StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460995%2fwhy-does-rpmfusion-recommend-the-nogpgcheck-switch%23new-answer', 'question_page');

          );

          Post as a guest













































































          Popular posts from this blog

          How to check contact read email or not when send email to Individual?

          Displaying single band from multi-band raster using QGIS

          How many registers does an x86_64 CPU actually have?