How to force rpm and yum to fail if a GPG signature is missing or cannot otherwise be verified?

centos rhel security yum rpm
532

Solution 1

The main point to understand about GPG checking for packages is that the GPG signature is embedded within the package, and the GPG keys are stored in the rpmdb. There is no secure API to ask "What key is package X signed with" you can only ask "Is package X signed with a key in the rpmdb" and "Does key Y exist in the rpmdb". Also note that this means that a package can only be signed by one key, and that changing the signature changes the packages.

Yum performs a number of steps when it downloads a package from a repository configured with "gpgcheck = 1" (the default).

  1. After the first package from a repository is downloaded, a simple "is this package signed with a known gpgkey" call is done. If it is, nothing is done. If it isn't a warning is displayed to the user. This is purely informational.

  2. Before the transaction starts yum checks that the package is signed with a known gpgkey (one already installed in the rpmdb), if it is the package is valid and no other steps are performed. If not then it continues to #3.

  3. Yum downloads all the files given in the "gpgkey" data for the repository that the package comes from. Yum parses that, ignoring any keys already present in the rpmdb. If there are no new keys, yum will fail.

  4. If there is a "gpgcakey" specified for the repository, then yum will download all the files given in the "gpgcakey" data. Yum parses that, ignoring any keys already present in that repositories gpg keyring. If there are no gpgcakeys installed after parsing the file, yum will fail. If there are new gpgcakeys, then if they are already imported as CA keys for another repo. they are automatically imported. If this is the first tiem we've seen this CA key the user is asked if he wants to install the key (unless -y is given). If he says no to any key, yum fails (although all imported keys stay in the repo. gpg keyring).

  5. If there is at least one valid "gpgcakey", yum will try to download a "gpgkey".asc file. If that doesn't exists, yum moves on to step #6 as though there was no gpgcakey. If it does exist then the "gpgkey" is tested against the "gpgcakey" and if it passes it's added to the rpmdb, if it fails then yum fails (although all imported keys stay in the rpmdb).

  6. If there are new gpgkeys, then the user is asked if he wants to install each key (unless -y is given). If he says no to any key, yum fails.

  7. After installing any new keys, yum again checks the package signature against the gpgkeys in the rpmdb. If this fails, yum fails.

Solution 2

Put localpkg_gpgcheck=1 in /etc/yum.conf and ensure you always yum to install rpms.

If you have an rpm on the local files system just do 

yum install <rpm-on-local-filesys>

Make sure you also set these in all the repos in /etc/yum.repos.d

gpgcheck=1
enabled=1
gpgkey=file:///etc/pki/rpm-gpg/SOME-APPROVED-GPG-KEY

As you mentioned, the best you'll get out of installing via rpm is a warning and there is no means to configure it to refuse to install on a non-present GPG key.

Share:
532

Related videos on Youtube

user2670167
Author by

user2670167

Updated on September 18, 2022

Comments

  • user2670167
    user2670167 over 1 year

    I use span inside div to simulate whole div as a link. It works well on Chrome & FF, but in IE, it doesn't. I use an imported font (awesome font) to make appear an icon on the main div (with "before" statement in css). The div appears to be clickable just a little before and just a little after the icon. In FF and Chrom, the whoole icon is clickable... How to make it work in IE?...

    css:

    .tiremenuadmin{
font-family: 'fontawesome';
display: block;
font-size: 30px;
text-shadow: 0px 0px 7px #000000;
padding: 7px;
float: right;
width: 46px;
text-align: center;
margin: 7px 7px 0 0;
background-color: #364f71;
-webkit-border-radius: 0 0 6px 6px;
-moz-border-radius: 0 0 6px 6px;
border-radius: 0 0 6px 6px;
border-bottom: 1px solid #000;
border-right: 1px solid #000;
border-left: 1px solid #000;
box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
-webkit-box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
-moz-box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
cursor: pointer;
opacity: 0.7;
}
.tiremenuadmin:before{
    content: "\F013";
}
.menuadmin{
position: relative;
display: block;
width: 100%;
height: 50px;
font-size: 24px;
font-weight: bold;
color: #677889;
text-shadow: 1px 1px 0 #FFFFFF;
}
.enveloppe_menuadmin{
left: 50%;
margin-left: -10px;
margin-top: -70px;
width: 486px;
height: 50px;
position: fixed;
background: #364f71;
z-index: 100;
padding: 10px 12px 10px 10px;
-webkit-border-radius: 0 0 6px 6px;
-moz-border-radius: 0 0 6px 6px;
border-radius: 0 0 6px 6px;
border-bottom: 1px solid #000;
border-right: 1px solid #000;
border-left: 1px solid #000;
box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
-webkit-box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
-moz-box-shadow: 0px 0px 10px 0px rgba(0,0,0,1);
}
.align_menuadmin{
    left: -50%;
}
.cover_admin{
    background: #364f71;
float: right;
width: 79px;
height: 8px;
left: 418px;
position: absolute;
}
.env_menuadmin{
    width:100%;
    -webkit-border-radius: 6px;
    -moz-border-radius: 6px;
    border-radius: 6px;
    background: #f3f3f3;
border-top: 1px solid #fff;
border-left: 1px solid #fff;
border-right: 1px solid #d6d6d6;
border-bottom: 1px solid #d6d6d6;
}
.adminmenu, .adminmenu_0, .adminmenu_1, .adminmenu_2, .adminmenu_3, .adminmenu_4, .adminmenu_5, .adminmenu_6, .adminmenu_7{
position: relative;
float: left;
height: 21px;
padding: 14px 15px 15px 15px;
font-family: 'fontawesome';
}
.adminmenu_00{
    position: relative;
float: left;
height: 21px;
padding: 14px 15px 15px 15px;
font-family: 'fontello-home';
font-size: 21px;
top: 1px;
}
.adminmenu_0, .adminmenu_1, .adminmenu_2, .adminmenu_3, .adminmenu_5, .adminmenu_6, .adminmenu_7 {
    border-left:1px solid #fff;
    border-right:1px solid #d6d6d6;
}
.adminmenu_00{
    border-right:1px solid #d6d6d6;
}
.adminmenu_4{
    border-left:1px solid #fff;
}
.adminmenu_0:before{
    content: "\F007";
}
.adminmenu_00:before{
    content: "\E0E0";
}
.adminmenu_1:before{
    content: "\F085";
}
.adminmenu_2:before{
    content: "\F0E0";
}
.adminmenu_3:before{
    content: "\F059";
}
.adminmenu_4:before{
    content: "\F011";
}
.adminmenu_5:before{
    content: "\F0C1";
}
.adminmenu_6:before{
    content: "\F15C";
}
.adminmenu_7:before{
    content: "\F055";
}
.adminmenu_1 span, .adminmenu_2 span, .adminmenu_3 span, .adminmenu_4 span, .adminmenu_5 span, .adminmenu_6 span, .adminmenu_7 span, .adminmenu_0 span, .adminmenu_00 span {
position: absolute;
width: 100%;
height: 50px;
right: 0px;
top: 0;
z-index: 1000;
}
.adminmenu:hover, .adminmenu_00:hover, .adminmenu_0:hover, .adminmenu_1:hover, .adminmenu_6:hover, .adminmenu_7:hover, .adminmenu_2:hover, .adminmenu_3:hover, .adminmenu_4:hover, .adminmenu_5:hover{
color:#7D92A7;
}

    html:

    <div class="enveloppe_menuadmin" style="opacity: 1; margin-top: -15px;">
    <div class="align_menuadmin">

    <div class="env_menuadmin">
    <div class="menuadmin">
        <div class="adminmenu_00"><a href="/bgladm"><span></span></a></div>
        <div class="adminmenu_0"><a href="/bgladm-compte"><span></span></a></div>
        <div class="adminmenu_1"><a href="/bgladm-options"><span></span></a></div>
        <div class="adminmenu_5"><a href="/bgladm-abo"><span></span></a></div>
        <div class="adminmenu_2"><a href="/bgladm-notif"><span></span></a></div>
        <div class="adminmenu_6"><a href="/bgladm-fic"><span></span></a></div>
        <div class="adminmenu_7"><a href="/bgladm-vip"><span></span></a></div>
        <div class="adminmenu_3"><a href="/bgladm-aide"><span></span></a></div>
        <div class="adminmenu_4"><a href="/logout"><span></span></a></div>
    </div>
    </div>

    <div class="tiremenuadmin" style="opacity: 1;"></div>
    <div class="cover_admin"></div>
    </div>
    </div>

    Demo: http://jsfiddle.net/namkc/

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

How do i list out all dependencies for a package in Centos/Rhel?
Download RPM and all dependencies on RHEL/CentOS 8
custom yum repo not showing rpm
Remove clearly and reinstall python on CentOS
How does createrepo work. How does yum understand parse its files. A conceptual explanation
How to schedule yum auto update to run only during the night?
CentOS yum repository bad Header V4 RSA/SHA1 signature
On Red Hat Enterprise Linux 6.2 how can I use Python 2.7 as default not Python 2.6? I did but still showing 2.6?
"The GPG keys listed for the "atomicrocketturtle.com" repository are already installed but they are not correct for this package."
Public key not found for RPM