From Fedora Project Wiki

Enforcing signature checking by default

Summary

Change the RPM default package verification mode to enforcing signature checking, to follow upstream RPM 6.0 default: only packages with a verified signature can be installed, unless explicitly overridden by --nosignature or corresponding API.

Owner


Current status

Detailed Description

On RPM level, this is a one-line configuration change: %_pkgverify_level default is changed from digest to all, which requires packages to have both a verified signature(s) and digest(s) to be installable. This means rpmkeys -K/--checksig will fail on unsigned packages, and rpm will refuse to install such packages, unless explicitly overridden with --nosignature (or corresponding API).

This change was originally intended to happen as a side-effect of https://fedoraproject.org/wiki/Changes/RPM-6.0 but was postponed to Fedora 45 due to time and resource reasons.

DNF5 >= 5.2.14.0 (in Fedora >= 42) has the necessary integration to allow disabling the verification on per-package basis to support repositories with disabled signature checking. This is used by mock to handle newly built, unsigned packages, and continues to work without further changes.

Mock has a plugin for signing locally built packages, and COPR has it's own automatic signing.

For packages locally built with rpmbuild, RPM >= 6.0 supports automatic signing by a passwordless key to make local rpmbuild use almost as seamless as before, and comes with a easy one-time setup script: /usr/lib/rpm/rpm-setup-autosign.

Feedback

Benefit to Fedora

The traditional RPM <= 4.x behavior was to verify a signatures if they are present and verifiable, but never require it. That behavior may have been somehow acceptable in the nineties, but does not meet the security expectations of modern times. Besides being insecure, the semantics cause quirky and non-obvious behavior in various situations.

Higher level package managers like yum and dnf/dnf5 have implemented their own enforcing signature modes, enabled by default since the beginning of Fedora. This change brings the RPM side default behavior to this millenium.

Scope

  • Proposal owners:
    • Change the RPM configuration.
    • Assist with with adoption as necessary, and address possible unforeseen / newly found issues in rpm/dnf/mock
  • Other developers:
    • Adjust their local package building workflows to either use signed packages or explicitly disable the signature checking where necessary (see compatibility impact).
  • Release engineering: #13027
  • Policies and guidelines: N/A (not needed for this Change)
  • Trademark approval: N/A (not needed for this Change)
  • Alignment with the Fedora Strategy: Improved security should align with Fedora strategy, whether written down or not.

Upgrade/compatibility impact

There's no impact on the average system only utilizing packages from official or 3rd party repositories. Dnf, mock, the official Fedora buildsystem and COPR should be fully compatible with this change as-is. However, this change will almost certainly require some changes to rpm/rpmbuild related workflows that the RPM team hasn't even heard of.

In some cases it might be sufficient to import relevant keys before operating on packages. Ideally, workflows involving unsigned packages are updated to use signed packages. Where that is not immediately or easily feasible, explicit --nosignature (or corresponding API) switches or local configuration change to a more permissive policy may need to be added to scripts / system configuration. Changes might be needed if there are local rpmbuild-related workflows, see Scope.

How To Test

This will receive thorough testing in everyday system use through system updates and on the buildsystem side, building packages. Specific items to test locally include:

  • Try to install or verify an unsigned package (must fail)
  • Try to install or verify a signed package whose key is not imported (must fail)
  • Try to install or verify both of the above with --nosignature (should succeed if legit package)
  • Test automatic signing in rpmbuild
    • Run /usr/lib/rpm/rpm-setup-autosign
    • Import the key as indicated by rpm-setup-autosign output
    • Build some package(s)
    • Try to install those packages (must not fail due to signature)

User Experience

  • Packages without verifiable signature(s) cannot be installed without an explicit override.

Dependencies

  • dnf, mock, koji, copr are related but the buildsystem(s) are expected to work with no further changes
  • there may be unforeseen / unknown dependencies in the infrastructure
  • dnf5 integration issue

Contingency Plan

  • Contingency mechanism: Revert back to digest verification by default for F45 and try again in F46.
  • Contingency deadline: beta freeze
  • Blocks release? Yes

Documentation

Setting up autosigning for rpmbuild with rpm-setup-autosign(1):

  • Run /usr/lib/rpm/rpm-setup-autosign
  • Import the key as indicated by rpm-setup-autosign output

Setting up autosigning for mock:

  • Set up rpmbuild autosigning as per above
  • Add the following to ~/.config/mock, replacing <AUTOSIGN_ID> with the the keyid from rpm --eval "%{?_openpgp_autosign_id}"
config_opts['plugin_conf']['sign_enable'] = True
config_opts['plugin_conf']['sign_opts'] = {}
config_opts['plugin_conf']['sign_opts']['cmd'] = 'rpmsign'
config_opts['plugin_conf']['sign_opts']['opts'] = '--addsign %(rpms)s'
config_opts['plugin_conf']['sign_opts']['opts'] += ' --key-id <AUTOSIGN_ID>'

Dnf5 integration:

  • Installing unsigned packages from a repository is possible when the repository is configured with gpgcheck=0

Reverting to legacy behavior:

  • In workflows where signing is not either possible or meaningful, it's possible to locally revert back to the old digest-only verification mode with echo '%_pkgverify_level digest' > /etc/rpm/macros.verify or similar
  • More information about the package verification policy configurables (%_pkgverify_*) can be found in the rpm-config(5) manual

Release Notes

Retrieved from "https://fedoraproject.org/w/index.php?title=Changes/Enforcing_signature_checking_by_default&oldid=761457"