Why does rpmfusion recommend the nogpgcheck switch?
Clash Royale CLAN TAG#URR8PPP
up vote
0
down vote
favorite
See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/
Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?
centos rhel security rpm gpg
asked Aug 7 at 8:11
asd
1
add a comment |Â
up vote
0
down vote
favorite
See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/
Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?
centos rhel security rpm gpg
asked Aug 7 at 8:11
asd
1
add a comment |Â
up vote
0
down vote
favorite
up vote
0
down vote
favorite
See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/
Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?
centos rhel security rpm gpg
asked Aug 7 at 8:11
asd
1
See the commandline RHEL/CentOS section at https://rpmfusion.org/Configuration/
Doesn't this --nogpgcheck switch allow for tampering to happen unnoticed?
centos rhel security rpm gpg
centos rhel security rpm gpg
asked Aug 7 at 8:11
asd
1
asked Aug 7 at 8:11
asd
1
asked Aug 7 at 8:11
asd
1
asked Aug 7 at 8:11
asd
1
asked Aug 7 at 8:11
asd
1
1
add a comment |Â
add a comment |Â
1 Answer
1
active
oldest
votes
up vote
0
down vote
That's a a step to break the initial chicken and egg trust problem by the packaging system.
There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).
Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).
An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:
# rpm -qlp rpmfusion-free-release-7.noarch.rpm
warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
/etc/yum.repos.d/rpmfusion-free-updates-testing.repo
/etc/yum.repos.d/rpmfusion-free-updates.repo
Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.
So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.
It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.
Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.
Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.
answered Aug 7 at 17:48
A.B
3,5001621
Note that you can import the gpg keys trusted way:dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/*But I agree that rpmfusion guys do not know about this, so they recommend this way.
– msuchy
Aug 8 at 15:25
add a comment |Â
1 Answer
1
active
oldest
votes
1 Answer
1
active
oldest
votes
active
oldest
votes
active
oldest
votes
up vote
0
down vote
That's a a step to break the initial chicken and egg trust problem by the packaging system.
There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).
Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).
An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:
# rpm -qlp rpmfusion-free-release-7.noarch.rpm
warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
/etc/yum.repos.d/rpmfusion-free-updates-testing.repo
/etc/yum.repos.d/rpmfusion-free-updates.repo
Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.
So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.
It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.
Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.
Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.
answered Aug 7 at 17:48
A.B
3,5001621
Note that you can import the gpg keys trusted way:dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/*But I agree that rpmfusion guys do not know about this, so they recommend this way.
– msuchy
Aug 8 at 15:25
add a comment |Â
up vote
0
down vote
That's a a step to break the initial chicken and egg trust problem by the packaging system.
There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).
Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).
An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:
# rpm -qlp rpmfusion-free-release-7.noarch.rpm
warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
/etc/yum.repos.d/rpmfusion-free-updates-testing.repo
/etc/yum.repos.d/rpmfusion-free-updates.repo
Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.
So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.
It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.
Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.
Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.
answered Aug 7 at 17:48
A.B
3,5001621
Note that you can import the gpg keys trusted way:dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/*But I agree that rpmfusion guys do not know about this, so they recommend this way.
– msuchy
Aug 8 at 15:25
add a comment |Â
up vote
0
down vote
up vote
0
down vote
That's a a step to break the initial chicken and egg trust problem by the packaging system.
There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).
Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).
An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:
# rpm -qlp rpmfusion-free-release-7.noarch.rpm
warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
/etc/yum.repos.d/rpmfusion-free-updates-testing.repo
/etc/yum.repos.d/rpmfusion-free-updates.repo
Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.
So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.
It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.
Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.
Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.
answered Aug 7 at 17:48
A.B
3,5001621
That's a a step to break the initial chicken and egg trust problem by the packaging system.
There is no trust by the packaging system (yum/rpm) in the new repository since, being new, it's not initially known. So the first step would be to tell the system to (cryptographically) trust this new repository. That's done by signing packages (or on different systems, package releases).
Some methods give a gpg key in a separate web page or keyserver to add to the system's trust (eg: rpm --import (really rpmkeys --import), or an equivalent for apt/dpkg: apt-key add) and then configure the repository with the correct file that includes mostly the URL to download and some settings (like the... gpgcheck=1 parameter).
An other method is to put this key directly in a package and let the package add the key and repository settings: that's what's done here, the package rpmfusion-free-release-7.noarch.rpm has inside only a few files:
# rpm -qlp rpmfusion-free-release-7.noarch.rpm
warning: rpmfusion-free-release-7.noarch.rpm: Header V4 RSA/SHA1 Signature, key ID f5cf6c1e: NOKEY
/etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-free-el-7
/etc/yum.repos.d/rpmfusion-free-updates-testing.repo
/etc/yum.repos.d/rpmfusion-free-updates.repo
Those files are the key and the new repositories configurations, and they do include gpgcheck=1. Note that until installed, the system doesn't trust the package (hence the warning above with NOKEY). Once installed, the key is now trusted, and every further action will check package signatures with this added key.
So how can it be trusted? There's still the trust provided by the use of https:// in https://download1.rpmfusion.org/ when it was downloaded: it should guarantee that the download site owned by rpmfusion is in control of this package and it can be downloaded securely without being tampered with.
It's not the exactly the same kind of trust, because only the site is trusted to be what it claims, not the package. Since you're downloading software from rpmfusion anyway, this implies you're trusting them enough to download and install packages from them. This package should never be downloaded the first time outside of *.rpmfusion.org to initially add the repository (ie when installing with --nogpgcheck), or you'd now have to trust the mirror to actually provide the same package and not an other with the same name with for example additional keys or worse.
Anyway, with the former method, you still had to read instructions on how to add a key and download a package anyway, so you still had to initially trust those instructions. That's what I call chicken and egg: you have to start trusting somewhere.
Once this initial trust happened, everything else is "taken care of" securely. Even if a new key has to be provided, this will be done with an update of rpmfusion-free-release with (a) replacement key(s) inside, and it would stay secure even if downloaded from a mirror and/or without https://. That's actually the case for this repository: it's using mirrors and probably plain http. You shouldn't ever need again the --nogpgcheck.
answered Aug 7 at 17:48
A.B
3,5001621
answered Aug 7 at 17:48
A.B
3,5001621
answered Aug 7 at 17:48
A.B
3,5001621
answered Aug 7 at 17:48
A.B
3,5001621
3,5001621
Note that you can import the gpg keys trusted way:dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/*But I agree that rpmfusion guys do not know about this, so they recommend this way.
– msuchy
Aug 8 at 15:25
add a comment |Â
Note that you can import the gpg keys trusted way:dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/*But I agree that rpmfusion guys do not know about this, so they recommend this way.
– msuchy
Aug 8 at 15:25
Note that you can import the gpg keys trusted way:
dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.– msuchy
Aug 8 at 15:25
Note that you can import the gpg keys trusted way:
dnf install distribution-gpg-keys && rpm --import /usr/share/distribution-gpg-keys/rpmfusion/* But I agree that rpmfusion guys do not know about this, so they recommend this way.– msuchy
Aug 8 at 15:25
add a comment |Â
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f460995%2fwhy-does-rpmfusion-recommend-the-nogpgcheck-switch%23new-answer', 'question_page');
);
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Sign up or log in
StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
