#487 optionally check GPG signatures during OSBS build
Closed: Fixed 7 years ago Opened 7 years ago by ktdreyer.

Pungi's OSBS step writes all .repo files with gpgcheck=0. This is ok for unsigned composes, but in cases where the compose is using signed RPMs, we should authenticate the packages during the build process for higher security.

It would be ideal to add a gpgkey configuration option for OSBS, and if this option is defined, then set gpgcheck=1 and gpgkey=<value>.

There is a similar issue with atomic-reactor's own AddYumRepoPlugin, at https://github.com/projectatomic/atomic-reactor/issues/588


In addition to increasing security, this is also a nice sanity check that we are not accidentally releasing unsigned content in our containers.

Here's a standalone hacky tool that does this: https://github.com/ktdreyer/bucko

See the get_variant_gpg_key() method for how I'm detecting the GPG key for a variant.

I use ConfigParser to write the Yum repo file, so the code looks like:

config.set(name, 'gpgcheck', 0)
if gpgkey is not None:
        config.set(name, 'gpgcheck', 1)
        config.set(name, 'gpgkey', gpgkey)

Hi @ktdreyer,

Do we need to check gpgkey for the external repos (which are not variant repos from the current compose) ?

One possible solution for this can be download rpm headers for all the packages in the repo first (I think we don't want to download all the rpms in repo to local to check) , and then check the headers to get keys, however when I do this, I found run kobo.rpmlib.get_keys_from_header(hdr) doesn't return any key, while it can return expected key against a local rpm file. And it can show me expected result of some fileds in the downloaded header file, for example, the changelogs or digest algo. By now, I have no idea why the downloaded header doesn't give me the expected result.

And here attached the sample script I used to check keys for rpms in a yum repo.
get_package_keys_in_repo.py

The external repos are specified as a link to a .repo file. We can't modify those files, and I think we should just trust that they're correct. This RFE should only affect the .repo files generated by Pungi.

The external repos are specified as a link to a .repo file. We can't modify those files, and I think we > should just trust that they're correct. This RFE should only affect the .repo files generated by Pungi.

Agree, it makes sense to assume the external repos are trusted. I'll add this RFE against the variant repos. @ktdreyer if you think we need to check the external repos too, you can let us know.

Hm, I just realized if gpgcheck=1 and gpgkey are specified in repo files, yum does the check while performing download/installation, we don't need to check the keys before the job, it will fail as expected if key is not verified. @lsedlar you're right, just ignore my concern on that.

Hi @ktdreyer,

I sent a PR https://pagure.io/pungi/pull-request/510 for this.

We can add 'gpgcheck=0' and 'gpgkey=<value>' to repo files directly when gpgkey is specified, osbs koji task will fail at yum installation when there is any unsigned package found in repo, which is as expected.

In additional, we can add gpgkey checking for all packages before start the koji task, however this only has limited benefits since in most of the cases, it's unnecessary since:

  1. when pkgset_source = "koji" (which is used in most cases) and there is sigkeys specified (and only one) in Pungi config file, Pungi restrict packages to packages which are signed with that gpgkey already, in this case, user only need to specify the key url in osbs config, of curse, it should be the url to the key in sigkeys.

  2. when pkgset_souce = 'repos', Pungi doesn't restrict the package set to packages signed with sigkeys, in this case, if we don't check the gpgkey against packages, osbs koji task can still fails with package not signed error at yum level as expected, and not so hard to figure out the exact cause.

The benefit of adding gpgkey checking is we can catch the error before osbs koji task, and raise error message with which exact packages are unsigned. If you don't cares much on this, we'd prefer to remove the gpgkey checking from this PR.

What's your opinion on this?

I don't see a benefit to checking signatures on packages prior to the OSBS build operation. You're right about pkgset_source = "koji" already restricting my compose to signed packages, and that is the only use-case I care about for this :)

@lsedlar changed the status to Closed

7 years ago

This should be fixed with PR #510.

Login to comment on this ticket.

Metadata
Attachments 1