[CentOS-devel] repo_gpgcheck for centos repos?

Tue Sep 8 20:28:24 UTC 2020
R P Herrold <herrold at owlriver.com>

On Tue, 8 Sep 2020, Leon Fauster via CentOS-devel wrote:

> I remember asking somewhere, if the integrity in generall gets checked
> (anaconda or kickstart list) but got no feedback.
> 
> JFI: https://bugzilla.redhat.com/show_bug.cgi?id=998

To what end other than exercising electrons without adding 
certainty of more security ?

Just for the record, how do you propose to solve the MitM 
attack by Dr Evil substituting in a fraudulent set of signing 
key and 'gimmicked' rpm binary, which will cheerfully report 
'all is well', post install [1]

The only way I know of is taking a couple of sums, and human 
sight checking them against an authoritative signed set from 
upstream, at install time, and every time tehreafter, rather 
than relying on a stored key .... but as the recent grub2 
chain vulnerability indicates, a later update can compromise 
even seemingly cryptographiceally secured boot chains, and 
sneak exploited execulables in

-- Russ herrold

[1] trap doored binaries RPM signed and released to 
distribution
	https://access.redhat.com/errata/RHSA-2008:0855