[CentOS] yum/RPM and Trust on First Use

Sun Dec 20 12:26:14 UTC 2015
Ned Slider <ned at unixmail.co.uk>

On 20/12/15 10:28, Gordon Messmer wrote:
> On 12/19/2015 09:49 AM, Alice Wonder wrote:
>> With third party repositories the key and configuration file is often
>> distributed separately. That's the potential attack vector for trojan
>> keys.
> Examples?
> All of the notable repositories that I'm aware of publish an
> x-release.rpm that installs their key and yum repo file.  But if your
> concern is that users might manually install a repo file and public key,
> then I don't see how modifying yum would change that. The attacker would
> probably include a key that contains an address they control and
> validates properly against it.
> In other words, I think the solution to the problem is simply to make
> sure that the repositories publish their "release" rpm over https and
> that documentation reflects the secure URL.  I notice now that EPEL
> links directly to the https URL for their release rpm, but their FAQ
> still provides a command-line example for installation using an http URL.
> The FAQ should be updated.  That method is a potential security problem
> because it doesn't use https and doesn't check the package signature. 
> But the solution is simply to replace http with https in the FAQ.  yum
> isn't used to install the release package, and I think the solution is
> to make sure that malicious release packages don't get installed, not to
> try to behave well on a system where an attacker already installed
> malicious data.

Unless I'm mistaken RPM in el5 does not support the https protocol.