|
Bugzilla – Full Text Bug Listing |
| Summary: | VUL-1: kiwi: --no-gpg-checks set by default | ||
|---|---|---|---|
| Product: | [Novell Products] SUSE Security Incidents | Reporter: | Johannes Segitz <jsegitz> |
| Component: | Incidents | Assignee: | Marcus Schaefer <ms> |
| Status: | RESOLVED FIXED | QA Contact: | Security Team bot <security-team> |
| Severity: | Normal | ||
| Priority: | P4 - Low | CC: | doerges, duge, meissner, thomas |
| Version: | unspecified | ||
| Target Milestone: | --- | ||
| Hardware: | Other | ||
| OS: | Other | ||
| See Also: |
http://bugzilla.suse.com/show_bug.cgi?id=1045735 http://bugzilla.suse.com/show_bug.cgi?id=1053253 |
||
| Whiteboard: | maint:planned:update | ||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
| Bug Depends on: | |||
| Bug Blocks: | 1048525 | ||
This has been addressed in the next generation kiwi space, see here:
https://github.com/SUSE/kiwi/pull/369
The individual repo setup allows for an explicit setup or uses the zypper
default. The option --no-gpg-checks is no longer used
We are not fixing this for the legacy kiwi version
|
Reported by Moritz Duge and Till Doerges from PRESENSE ============== Sadly Kiwi doesn't warn be about unsigned repos or packages, even after installing the Zypper update. ============== I had a short look at Kiwi. In modules/KIWIManagerZypper.pm we have this snippet: #========================================== # Get signature information #------------------------------------------ my $imgCheckSig = $xml -> getPreferences() -> getRPMCheckSig(); if (! $imgCheckSig) { $imgCheckSig = 'false'; } So unless it's explicitly requested by the user signature checks are disabled. It should be the other way around.