[Yum] Signed repository?

Kimmo Koivisto kimmo.koivisto at surfeu.fi
Wed Oct 27 18:23:36 UTC 2004


Hi

Is it possible to create digitally signed repository with yum-arch or 
createrepo. I know that most of the RPMS are signed, so forged RPMS are not 
problem. 

What I am concerned about is RPM dependencies. If rpm headers and dependency 
lists are not signed and attacker could gain access to the repodata, would it 
be possible to fake dependencies? Or does yum check dependencies based on the 
real RPMS?

Is the following scenario possible with yum-arch or createrepo and yum:
- User updates his/hers system automatically from cron (yum -y update)
- Yum does gpgcheck
- System does not have openssh-server installed
- Attacker gains access to the yum repository or hijacs the connection to the 
yum repository
- New official update is released, let's say kde-3.4
- Attacker forges kde-3.4 header to have dependency to openssh-server
- Yum installs openssh-server when kde-3.4 is updated


Regards
Kimmo Koivisto




More information about the Yum mailing list