[Yum] Signed repository?
Kimmo Koivisto
kimmo.koivisto at surfeu.fi
Wed Oct 27 18:23:36 UTC 2004
Hi
Is it possible to create digitally signed repository with yum-arch or
createrepo. I know that most of the RPMS are signed, so forged RPMS are not
problem.
What I am concerned about is RPM dependencies. If rpm headers and dependency
lists are not signed and attacker could gain access to the repodata, would it
be possible to fake dependencies? Or does yum check dependencies based on the
real RPMS?
Is the following scenario possible with yum-arch or createrepo and yum:
- User updates his/hers system automatically from cron (yum -y update)
- Yum does gpgcheck
- System does not have openssh-server installed
- Attacker gains access to the yum repository or hijacs the connection to the
yum repository
- New official update is released, let's say kde-3.4
- Attacker forges kde-3.4 header to have dependency to openssh-server
- Yum installs openssh-server when kde-3.4 is updated
Regards
Kimmo Koivisto
More information about the Yum
mailing list