Conan-Kudo
commented
3 years ago Wouldn't it be easier to just add a gpgfingerprint= option so that we can have an array of fingerprints to match the array of gpg key files?
Open DemiMarie opened 3 years ago
Conan-Kudo
commented
3 years ago Wouldn't it be easier to just add a gpgfingerprint= option so that we can have an array of fingerprints to match the array of gpg key files?
DemiMarie
commented
3 years ago These are not mutually exclusive. The hash has two major advantages:
DemiMarie
commented
3 years ago To elaborate, parsing a general key is significantly more complex than parsing a signature, and is therefore more likely to have exploitable vulnerabilities. I would be fine with a gpgkeyhash= key, though.
Currently, DNF does not provide a reliable way to authenticate the contents of remote
gpgkey=URLs. DNSSEC doesn’t always work (for instance, if libdnf is behind an HTTP proxy) and introduces substantial extra attack surface.Fortunately, the fragment part of a URL can contain arbitrary data that is not sent to the server. In this case, libdnf can check a cryptographic hash against the downloaded data. One example would be
gpgkey=http://example.com/something.gpg#sha256=47DEQpj8HBSa-_TImW-5JCeuQeRkm5NMpJWZG3hSuFU.