Bug 1052100 - VUL-1: kiwi: --no-gpg-checks set by default
Summary: VUL-1: kiwi: --no-gpg-checks set by default
Status: RESOLVED FIXED
Alias: None
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Marcus Schaefer
QA Contact: Security Team bot
URL:
Whiteboard: maint:planned:update
Keywords:
Depends on:
Blocks: 1048525
  Show dependency treegraph
 
Reported: 2017-08-03 14:39 UTC by Johannes Segitz
Modified: 2019-12-10 10:30 UTC (History)
4 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Johannes Segitz 2017-08-03 14:39:36 UTC 
Reported by Moritz Duge and Till Doerges from PRESENSE
==============
Sadly Kiwi doesn't warn be about unsigned repos or packages, even after
installing the Zypper update.
==============

I had a short look at Kiwi. In modules/KIWIManagerZypper.pm we have this snippet:

    #==========================================
    # Get signature information
    #------------------------------------------
    my $imgCheckSig = $xml -> getPreferences() -> getRPMCheckSig();
    if (! $imgCheckSig) {
        $imgCheckSig = 'false';
    }

So unless it's explicitly requested by the user signature checks are disabled. It should be the other way around.
Comment 2 Marcus Schaefer 2017-09-06 10:52:53 UTC 
This has been addressed in the next generation kiwi space, see here:

    https://github.com/SUSE/kiwi/pull/369

The individual repo setup allows for an explicit setup or uses the zypper
default. The option --no-gpg-checks is no longer used

We are not fixing this for the legacy kiwi version