On Wed, Jul 31, 2019 at 2:45 PM Kevin Fenzi <kevin(a)scrye.com> wrote:
On 7/31/19 11:09 AM, Florian Weimer wrote:
> * Jason L. Tibbitts, III:
>
> At one point, RPM wrote unchecked file contents to disk, leading to
> vulnerabilities such as CVE-2013-6435. At the time, it was not possible
> to teach RPM to verify the data before writing it.
>
>> If it is, then great, though signatures still have value because there
>> are other ways to get RPMs than letting dnf hit the mirror network.
>
> I think dnf only performs signature checking if the RPMs are downloaded
> from repositories.
Yep. I am pretty sure that is the case.
By default this is the case, but you can configure DNF to validate
signatures for all cases if you want.
You just set localpkg_gpgcheck=1 in /etc/dnf/dnf.conf
That said, you probably don't want to do that, since most downloaded
packages aren't signed...
--
真実はいつも一つ!/ Always, there's only one truth!