[CentOS-devel] False statement about insecurity made on Wiki

Wed Feb 10 03:10:57 UTC 2021
redbaronbrowser <redbaronbrowser at protonmail.com>

On Tuesday, February 9, 2021 8:58 PM, John R. Dennison <jrd at gerdesas.com> wrote:

> On Wed, Feb 10, 2021 at 02:42:35AM +0000, redbaronbrowser via CentOS-devel wrote:
>
> > As long as we are being pedantic about repository security, my person
> > observation is the best point of attack is the repo XML files. These
> > are not signed. If a rogue mirror or a man in the middle attack did
> > take place, this seems like the best target. From what I can tell,
> > DNF (and libxml2) typically are parsing these files while running as
> > root. A zero-day against libxml2 would be gold.
>
> Repo metadata is signed.

>From what I can tell, the repo metadata is hashed by sha256 but that is not the same a cryptographically signed.

What are you finding is performing a verification of the repomd.xml against the CentOS public key before parsing it with libxml2?