Wiki: https://fedoraproject.org/wiki/Changes/Enforcing_signature_checking_by_default
Discussion Thread: https://discussion.fedoraproject.org/t/169774
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Change the RPM default package verification mode to enforcing signature checking, to follow upstream RPM 6.0 default:
only packages with a verified signature can be installed, unless explicitly overridden by `--nosignature` or corresponding API.
== Owner ==
* Name: [[User:pmatilai| Panu Matilainen]]
* Email: pmatilai@redhat.com
== Detailed Description ==
On RPM level, this is a one-line configuration change: `%_pkgverify_level` default is changed from `digest` to `all`, which
requires packages to have both a verified signature(s) and digest(s) to be installable. This means `rpmkeys -K/--checksig` will fail on unsigned packages, and `rpm` will refuse to install such packages, unless explicitly overridden with `--nosignature` (or corresponding API).
This change was originally intended to happen as a side-effect of https://fedoraproject.org/wiki/Changes/RPM-6.0
but was postponed to Fedora 44 due to time and resource reasons.
DNF5 >= 5.2.14.0 (in Fedora >= 42) has the necessary integration to allow disabling the verification on per-package
basis to support repositories with disabled signature checking. This is used by mock to handle newly
built, unsigned packages, and continues to work without further changes.
Mock has a plugin for signing locally built packages, and COPR has it's own automatic signing.
For packages locally built with rpmbuild, RPM >= 6.0 supports automatic signing by a passwordless key to make local `rpmbuild`
use almost as seamless as before, and comes with a easy one-time setup script: `/usr/lib/rpm/rpm-setup-autosign`.
== Feedback ==
== Benefit to Fedora ==
The traditional RPM <= 4.x behavior was to verify a signatures if they are present and verifiable, but never require it. That behavior may have
been somehow acceptable in the nineties, but does not meet the security expectations of modern times. Besides being insecure, the semantics
cause quirky and non-obvious behavior in various situations.
Higher level package managers like yum and dnf/dnf5 have implemented their own enforcing signature modes, enabled by default
since the beginning of Fedora. This change brings the RPM side default behavior to this millenium.
== Scope ==
* Proposal owners:
** Change the RPM configuration.
** Assist with with adoption as necessary, and address possible unforeseen / newly found issues in rpm/dnf/mock
* Other developers:
** Adjust their local package building workflows to either use signed packages or explicitly disable the signature checking where necessary (see compatibility impact).
* Release engineering: [https://pagure.io/releng/issues/13027 #13027]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: Improved security should align with Fedora strategy, whether written down or not.
== Upgrade/compatibility impact ==
There's no impact on the average system only utilizing packages from official or 3rd party repositories.
Dnf, mock, the official Fedora buildsystem and COPR should be fully compatible with this change as-is.
However, this change will almost certainly require some changes to rpm/rpmbuild related workflows that the RPM team hasn't even heard of.
In some cases it might be sufficient to import relevant keys before operating on packages. Ideally, workflows involving unsigned packages are
updated to use signed packages. Where that is not immediately or easily feasible, explicit `--nosignature` (or corresponding API)
switches or local configuration change to a more permissive policy may need to be added to scripts / system configuration.
Changes might be needed if there are local rpmbuild-related workflows, see Scope.
== How To Test ==
This will receive thorough testing in everyday system use through system updates and on the buildsystem side, building packages. Specific items to test locally include:
* Try to install or verify an unsigned package (must fail)
* Try to install or verify a signed package whose key is not imported (must fail)
* Try to install or verify both of the above with `--nosignature` (should succeed if legit package)
* Test automatic signing in rpmbuild:
** Run `/usr/lib/rpm/rpm-setup-autosign`
** Import the key as indicated by rpm-setup-autosign output
** Build some package(s)
** Try to install those packages (must not fail due to signature)
== User Experience ==
* Packages without verifiable signature(s) cannot be installed without an explicit override.
== Dependencies ==
* dnf, mock, koji, copr are related but the buildsystem(s) are expected to work with no further changes
* there may be unforeseen / unknown dependencies in the infrastructure
* `dnf --no-gpgchecks` needs [https://github.com/rpm-software-management/dnf5/issues/2479 integration]
== Contingency Plan ==
* Contingency mechanism: Revert back to digest verification by default for F44 and try again in F45.
* Contingency deadline: beta freeze
* Blocks release? Yes
== Documentation ==
The package verification policy configurables (`%_pkgverify_*`) are documented in the
[https://rpm.org/docs/6.0.x/man/rpm-config.5 rpm-config(5)] manual.
== Release Notes ==
Discussion Thread: https://discussion.fedoraproject.org/t/169774
**This is a proposed Change for Fedora Linux.**
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
== Summary ==
Change the RPM default package verification mode to enforcing signature checking, to follow upstream RPM 6.0 default:
only packages with a verified signature can be installed, unless explicitly overridden by `--nosignature` or corresponding API.
== Owner ==
* Name: [[User:pmatilai| Panu Matilainen]]
* Email: pmatilai@redhat.com
== Detailed Description ==
On RPM level, this is a one-line configuration change: `%_pkgverify_level` default is changed from `digest` to `all`, which
requires packages to have both a verified signature(s) and digest(s) to be installable. This means `rpmkeys -K/--checksig` will fail on unsigned packages, and `rpm` will refuse to install such packages, unless explicitly overridden with `--nosignature` (or corresponding API).
This change was originally intended to happen as a side-effect of https://fedoraproject.org/wiki/Changes/RPM-6.0
but was postponed to Fedora 44 due to time and resource reasons.
DNF5 >= 5.2.14.0 (in Fedora >= 42) has the necessary integration to allow disabling the verification on per-package
basis to support repositories with disabled signature checking. This is used by mock to handle newly
built, unsigned packages, and continues to work without further changes.
Mock has a plugin for signing locally built packages, and COPR has it's own automatic signing.
For packages locally built with rpmbuild, RPM >= 6.0 supports automatic signing by a passwordless key to make local `rpmbuild`
use almost as seamless as before, and comes with a easy one-time setup script: `/usr/lib/rpm/rpm-setup-autosign`.
== Feedback ==
== Benefit to Fedora ==
The traditional RPM <= 4.x behavior was to verify a signatures if they are present and verifiable, but never require it. That behavior may have
been somehow acceptable in the nineties, but does not meet the security expectations of modern times. Besides being insecure, the semantics
cause quirky and non-obvious behavior in various situations.
Higher level package managers like yum and dnf/dnf5 have implemented their own enforcing signature modes, enabled by default
since the beginning of Fedora. This change brings the RPM side default behavior to this millenium.
== Scope ==
* Proposal owners:
** Change the RPM configuration.
** Assist with with adoption as necessary, and address possible unforeseen / newly found issues in rpm/dnf/mock
* Other developers:
** Adjust their local package building workflows to either use signed packages or explicitly disable the signature checking where necessary (see compatibility impact).
* Release engineering: [https://pagure.io/releng/issues/13027 #13027]
* Policies and guidelines: N/A (not needed for this Change)
* Trademark approval: N/A (not needed for this Change)
* Alignment with the Fedora Strategy: Improved security should align with Fedora strategy, whether written down or not.
== Upgrade/compatibility impact ==
There's no impact on the average system only utilizing packages from official or 3rd party repositories.
Dnf, mock, the official Fedora buildsystem and COPR should be fully compatible with this change as-is.
However, this change will almost certainly require some changes to rpm/rpmbuild related workflows that the RPM team hasn't even heard of.
In some cases it might be sufficient to import relevant keys before operating on packages. Ideally, workflows involving unsigned packages are
updated to use signed packages. Where that is not immediately or easily feasible, explicit `--nosignature` (or corresponding API)
switches or local configuration change to a more permissive policy may need to be added to scripts / system configuration.
Changes might be needed if there are local rpmbuild-related workflows, see Scope.
== How To Test ==
This will receive thorough testing in everyday system use through system updates and on the buildsystem side, building packages. Specific items to test locally include:
* Try to install or verify an unsigned package (must fail)
* Try to install or verify a signed package whose key is not imported (must fail)
* Try to install or verify both of the above with `--nosignature` (should succeed if legit package)
* Test automatic signing in rpmbuild:
** Run `/usr/lib/rpm/rpm-setup-autosign`
** Import the key as indicated by rpm-setup-autosign output
** Build some package(s)
** Try to install those packages (must not fail due to signature)
== User Experience ==
* Packages without verifiable signature(s) cannot be installed without an explicit override.
== Dependencies ==
* dnf, mock, koji, copr are related but the buildsystem(s) are expected to work with no further changes
* there may be unforeseen / unknown dependencies in the infrastructure
* `dnf --no-gpgchecks` needs [https://github.com/rpm-software-management/dnf5/issues/2479 integration]
== Contingency Plan ==
* Contingency mechanism: Revert back to digest verification by default for F44 and try again in F45.
* Contingency deadline: beta freeze
* Blocks release? Yes
== Documentation ==
The package verification policy configurables (`%_pkgverify_*`) are documented in the
[https://rpm.org/docs/6.0.x/man/rpm-config.5 rpm-config(5)] manual.
== Release Notes ==
No comments:
Post a Comment