* Jason L. Tibbitts, III:
>>>>> "FW" == Florian Weimer
<fweimer(a)redhat.com> writes:
FW> At one point, there was a verified hash chain from the https://
FW> metalink service, to the repository metadata, down to individual
FW> packages. Any tampering was detected then.
I understand that the metalink contains enough information to verify the
returnes repomd.xml files, but I guess I don't really know if there's
enough data to chase that down to the checksum of every file that's ever
expected to be on a mirror.
repomd.xml has hashes for primary.xml etc., and primary.xml contains
digests of the RPM files. In theory, it can all be checked.
At one point, RPM wrote unchecked file contents to disk, leading to
vulnerabilities such as CVE-2013-6435. At the time, it was not possible
to teach RPM to verify the data before writing it.
If it is, then great, though signatures still have value because
there
are other ways to get RPMs than letting dnf hit the mirror network.
I think dnf only performs signature checking if the RPMs are downloaded
from repositories.
Thanks,
Florian