Ask Your Question
3

Why RpmFusion is installed if no key is installed ?

asked 2016-03-28 14:43:12 -0600

vlad1020 gravatar image

updated 2016-03-28 15:16:34 -0600

florian gravatar image

I have a freshly new Fedora 23 installed on Virtual Box. I applied the latest updates available (sudo dnf update). Then I applied the following commands (described on RpmFusion website): The packages are installed without any problem but why ? because I don't have the keys from RpmFusion. I thing this is a security issue because there is no verification of the key with the one installed on system. In this manner anyone can repackage anything with any signature and the package will be installed without any security check.

[user@localhost ~]$ su -c 'dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'
Password: 
Last metadata expiration check: 1:26:02 ago on Mon Mar 28 20:51:56 2016.
Dependencies resolved.
================================================================================
 Package                        Arch        Version     Repository         Size
================================================================================
Installing:
 rpmfusion-free-release         noarch      23-0.1      @commandline       19 k
 rpmfusion-nonfree-release      noarch      23-0.1      @commandline       19 k

Transaction Summary
================================================================================
Install  2 Packages

Total size: 39 k
Installed size: 20 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : rpmfusion-free-release-23-0.1.noarch                        1/2 
  Installing  : rpmfusion-nonfree-release-23-0.1.noarch                     2/2 
warning: rpmfusion-nonfree-release-23-0.1.noarch: Header V4 RSA/SHA1 Signature, key ID 5ca6c469: NOKEY
  Verifying   : rpmfusion-nonfree-release-23-0.1.noarch                     1/2 
  Verifying   : rpmfusion-free-release-23-0.1.noarch                        2/2 

Installed:
  rpmfusion-free-release.noarch 23-0.1  rpmfusion-nonfree-release.noarch 23-0.1 

Complete!
[user@localhost ~]$ su -c 'dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'
Password: 
RPM Fusion for Fedora 23 - Nonfree              590 kB/s | 218 kB     00:00    
RPM Fusion for Fedora 23 - Free                 719 kB/s | 738 kB     00:01    
RPM Fusion for Fedora 23 - Free - Test Updates  643 kB/s | 328 kB     00:00    
RPM Fusion for Fedora 23 - Nonfree - Test Updat 363 kB/s | 104 kB     00:00    
Last metadata expiration check: 0:00:00 ago on Mon Mar 28 22:19:23 2016.
Package rpmfusion-nonfree-release-23-0.1.noarch is already installed, skipping.
Package rpmfusion-free-release-23-0.1.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!
edit retag flag offensive close merge delete

Comments

HUUUUGE BUG!!!

gobigobi66 gravatar imagegobigobi66 ( 2016-04-19 21:37:34 -0600 )edit

3 Answers

Sort by ยป oldest newest most voted
3

answered 2016-03-28 15:24:32 -0600

vtrefny gravatar image

Seems to be a bug in Fedora 23 -- https://bugzilla.redhat.com/show_bug.... -- but only with packages installed locally (using an url or when installing manually downloaded packages) when you don't have the key.

edit flag offensive delete link more

Comments

Uuuuh. That's a bad one. Good catch.

florian gravatar imageflorian ( 2016-03-28 15:37:29 -0600 )edit
1

IMO big security issue and still no fix after 3 months...

vlad1020 gravatar imagevlad1020 ( 2016-03-28 15:42:25 -0600 )edit

Apparently, also for url packages, not only local/downloaded packages): https://bugzilla.redhat.com/show_bug....

florian gravatar imageflorian ( 2016-05-18 10:12:35 -0600 )edit
2

answered 2016-03-28 15:09:19 -0600

florian gravatar image

updated 2016-03-28 15:39:49 -0600

rpmfusion packages are signed with a GPG signature from rpmfusion, and dnf automatically checks those keys, unless you specify --nogpgcheck.

I am pretty sure you do have the relevant rpmfusion gpg keys installed on your system. They are located in /etc/pki/rpm-gpg/. List them with ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-*.

edit flag offensive delete link more

Comments

The rpmfusion keys are installed when rpmfusion-free-release-23-0.1.noarch and rpmfusion-nonfree-release-23-0.1.noarch are installed so only then any packages from rpmfusion (e.g. vlc) are verified with the keys. My question was why those two packages are installed because the Fedora 23 doesn't come with rpmfusion keys preinstalled ?

vlad1020 gravatar imagevlad1020 ( 2016-03-28 15:23:17 -0600 )edit

So, looks like my answer may be valid in theory only because of is this bug @vtrefny is mentioning.

florian gravatar imageflorian ( 2016-03-28 15:39:06 -0600 )edit
1

answered 2016-04-18 19:53:37 -0600

sergiomb gravatar image

I think this duplicated question with: https://ask.fedoraproject.org/en/ques...

You may do :

rpm --import "http://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-23" "http://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-23"
dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-23.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-23.noarch.rpm

with gpg verification, so no need use --nogpg.

edit flag offensive delete link more

Question Tools

Stats

Asked: 2016-03-28 14:43:12 -0600

Seen: 1,840 times

Last updated: Apr 18 '16