Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

security issue - digital software signatures are not always verified #2394

Closed
adrelanos opened this issue Nov 11, 2023 · 1 comment
Closed

security issue - digital software signatures are not always verified #2394

adrelanos opened this issue Nov 11, 2023 · 1 comment

Comments

@adrelanos
Copy link

Problem description

Digital software signatures are not always verified. This is bad for security.

Expected behaviour

Digital software signatures are always verified.

Steps to reproduce the behaviour

  1. Look at https://github.com/OSInside/kiwi-descriptions/blob/master/debian/x86_64/debian-buster/config.xml
  2. See:
<rpm-check-signatures>false</rpm-check-signatures>

repository_gpgcheck="false"
@Conan-Kudo
Copy link
Member

This is an example kiwi description. You can just as easily flip those from false to true, but then you need to provide the keys to verify signatures with. For the purposes of those descriptions, it wasn't needed.

If you want examples of how you can do build images with signature verification for inputs, there are a few CentOS example descriptions that show how to do it.

@Conan-Kudo Conan-Kudo closed this as not planned Won't fix, can't repro, duplicate, stale Nov 20, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Conan-Kudo @adrelanos