#306 GPG checking is always disabled
Opened a year ago by ktdreyer. Modified a year ago

$ git grep gpgcheck
server/odcs/server/backend.py:gpgcheck=0
server/odcs/server/backend.py:repo_gpgcheck=0
server/odcs/server/backend.py:gpgcheck=0
server/tests/test_backend.py:gpgcheck=0
server/tests/test_backend.py:gpgcheck=0
server/tests/test_backend.py:gpgcheck=0

Here are two reasons this is a problem:

1) Build system security. In some environments, we expose the compose contents via HTTP and not HTTPS. (This is because the container image must trust the HTTPS server certificate, and sometimes that HTTPS cert is signed by a non-default CA). This means there is no integrity checking at all when building images from ODCS composes.

2) Correct choice of builds. It is easy for me as a developer to make mistakes and put unsigned builds into a container. ODCS has a "signing intent" setting that should help with this, but the operations around signing builds within Koji are complicated and racy. Sometimes there are problems or corner cases I did not anticipate. As a result, the only sure way to ensure that all my builds are gold-signed is to enforce this in the container's package manager.

We would never tell regular Fedora or RHEL users to disable GPG checking on their systems. Please don't do this in ODCS either.

Related issues:
https://pagure.io/pungi/issue/487
https://github.com/containerbuildsystem/atomic-reactor/issues/588


Login to comment on this ticket.

Metadata