[CentOS] yum/RPM and Trust on First Use

Sun Dec 20 10:28:55 UTC 2015
Gordon Messmer <gordon.messmer at gmail.com>

On 12/19/2015 09:49 AM, Alice Wonder wrote:
> With third party repositories the key and configuration file is often 
> distributed separately. That's the potential attack vector for trojan 
> keys.


All of the notable repositories that I'm aware of publish an 
x-release.rpm that installs their key and yum repo file.  But if your 
concern is that users might manually install a repo file and public key, 
then I don't see how modifying yum would change that. The attacker would 
probably include a key that contains an address they control and 
validates properly against it.

In other words, I think the solution to the problem is simply to make 
sure that the repositories publish their "release" rpm over https and 
that documentation reflects the secure URL.  I notice now that EPEL 
links directly to the https URL for their release rpm, but their FAQ 
still provides a command-line example for installation using an http URL.

The FAQ should be updated.  That method is a potential security problem 
because it doesn't use https and doesn't check the package signature.  
But the solution is simply to replace http with https in the FAQ.  yum 
isn't used to install the release package, and I think the solution is 
to make sure that malicious release packages don't get installed, not to 
try to behave well on a system where an attacker already installed 
malicious data.