Bugzilla – Bug 1053253
rpm should warn about unsigned package files
Last modified: 2019-07-11 11:16:45 UTC
rpm warns on package files with unknown signatures, but it doesn't warn if there's any signature at all. -- That's not just an dangerous behavior. It's also inconsistent and an user might get the impression, that rpm will warn if he installs an package file without valid signature, because he sees that warnings on unknown signed packages files. But in fact there will just be no warning if there isn't any signature at all. And this really isn't a rare scenario. A lot of software which isn't available through the openSUSE official or unofficial repos is being provided without instruction for configuring the vendors Zypper repo (if one exists). Mostly there are just instructions for installing an rpm package file. (in case of Google the package configures a Zypper repo at installation time - but then it's already too late) E.g.: - Google Chrome and Earth - Skype - Atom (GitHubs Editor - btw. why it's not available via OSS repo!? it's FOSS!) - Microsoft Visual Studio Code - ... -- rpm on package file with unknown signature: | $ rpm -i vim-7.4.326-8.3.x86_64_unknown-sig.rpm | warning: vim-7.4.326-8.3.x86_64_unknown-sig.rpm: Header V3 DSA/SHA1 | Signature, key ID 6aef2783: NOKEY | $ rpm -K vim-7.4.326-8.3.x86_64_unknown-sig.rpm | vim-7.4.326-8.3.x86_64_unknown-sig.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#6aef2783) rpm on package file without signature: | $ rpm -i vim-7.4.326-8.2.x86_64_unsigned.rpm | $ rpm -K vim-7.4.326-8.2.x86_64_unsigned.rpm | vim-7.4.326-8.2.x86_64_unsigned.rpm: sha1 md5 OK -- Zypper and YaST just received an update for 42.2 to solve an equivalent problem for unsigned repos and package files. (bug boo#1045735) And for 42.3 and equivalent update should be in the pipeline. But as described, in some scenarios package files will be installed without repo, directly from the local filesystem after download via webbrowser. A workaround to get a warning is using Zypper or YaST to install rpm files. Since that recent update they also warn about unsigned rpm files. But this shouldn't be an "nofix" reason for this bug. Because rpm is clearly there for installing rpm package files and it's behavior is inconsistent with unknown signed package files. Zypper on rpm without signature (YaST gives an equivalent warning and also asks before continuing) | $ zypper in vim-7.4.326-8.2.x86_64_unsigned.rpm | [...] | vim-7.4.326-8.2.x86_64 (Plain RPM files cache): Signature verification failed [6-File is unsigned] | Abort, retry, ignore? [a/r/i] (a): -- Nice to have: Asking before continuing like Zypper and YaST is also even better. The Zypper behavior probably can't be used for rpm because it might break existing stuff like scripts. But at least consider introducing an option -s, --strictsig which aborts installation (or asks for continuation) before installing an unsigned package. So the user can use this option for safe package installation via rpm. Related: - bug boo#1052100
Assign to zypper maintainer team
This is about (upstream) 'rpm' -> mls
This is automated batch bugzilla cleanup. The openSUSE 42.3 changed to end-of-life (EOL [1]) status. As such it is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of openSUSE (At this moment openSUSE Leap 15.1, 15.0 and Tumbleweed) please feel free to reopen this bug against that version (!you must update the "Version" component in the bug fields, do not just reopen please), or alternatively create a new ticket. Thank you for reporting this bug and we are sorry it could not be fixed during the lifetime of the release. [1] https://en.opensuse.org/Lifetime