Why RpmFusion is installed if no key is installed ?

asked 2016-03-28 14:43:12 -0600

vlad1020
31 ●1 ●2 ●4

updated 2016-03-28 15:16:34 -0600

florian
11133 ●77 ●349 ●331

I have a freshly new Fedora 23 installed on Virtual Box. I applied the latest updates available (sudo dnf update). Then I applied the following commands (described on RpmFusion website): The packages are installed without any problem but why ? because I don't have the keys from RpmFusion. I thing this is a security issue because there is no verification of the key with the one installed on system. In this manner anyone can repackage anything with any signature and the package will be installed without any security check.

[user@localhost ~]$ su -c 'dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'
Password: 
Last metadata expiration check: 1:26:02 ago on Mon Mar 28 20:51:56 2016.
Dependencies resolved.
================================================================================
 Package                        Arch        Version     Repository         Size
================================================================================
Installing:
 rpmfusion-free-release         noarch      23-0.1      @commandline       19 k
 rpmfusion-nonfree-release      noarch      23-0.1      @commandline       19 k

Transaction Summary
================================================================================
Install  2 Packages

Total size: 39 k
Installed size: 20 k
Is this ok [y/N]: y
Downloading Packages:
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
  Installing  : rpmfusion-free-release-23-0.1.noarch                        1/2 
  Installing  : rpmfusion-nonfree-release-23-0.1.noarch                     2/2 
warning: rpmfusion-nonfree-release-23-0.1.noarch: Header V4 RSA/SHA1 Signature, key ID 5ca6c469: NOKEY
  Verifying   : rpmfusion-nonfree-release-23-0.1.noarch                     1/2 
  Verifying   : rpmfusion-free-release-23-0.1.noarch                        2/2 

Installed:
  rpmfusion-free-release.noarch 23-0.1  rpmfusion-nonfree-release.noarch 23-0.1 

Complete!
[user@localhost ~]$ su -c 'dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-$(rpm -E %fedora).noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-$(rpm -E %fedora).noarch.rpm'
Password: 
RPM Fusion for Fedora 23 - Nonfree              590 kB/s | 218 kB     00:00    
RPM Fusion for Fedora 23 - Free                 719 kB/s | 738 kB     00:01    
RPM Fusion for Fedora 23 - Free - Test Updates  643 kB/s | 328 kB     00:00    
RPM Fusion for Fedora 23 - Nonfree - Test Updat 363 kB/s | 104 kB     00:00    
Last metadata expiration check: 0:00:00 ago on Mon Mar 28 22:19:23 2016.
Package rpmfusion-nonfree-release-23-0.1.noarch is already installed, skipping.
Package rpmfusion-free-release-23-0.1.noarch is already installed, skipping.
Dependencies resolved.
Nothing to do.
Complete!

edit retag flag offensive close merge delete

Comments

HUUUUGE BUG!!!

gobigobi66 ( 2016-04-19 21:37:34 -0600 )edit

add a comment

2

answered 2016-03-28 15:09:19 -0600

florian
11133 ●77 ●349 ●331

updated 2016-03-28 15:39:49 -0600

rpmfusion packages are signed with a GPG signature from rpmfusion, and dnf automatically checks those keys, unless you specify --nogpgcheck.

I am pretty sure you do have the relevant rpmfusion gpg keys installed on your system. They are located in /etc/pki/rpm-gpg/. List them with ls -l /etc/pki/rpm-gpg/RPM-GPG-KEY-rpmfusion-*.

edit flag offensive delete link

Comments

The rpmfusion keys are installed when rpmfusion-free-release-23-0.1.noarch and rpmfusion-nonfree-release-23-0.1.noarch are installed so only then any packages from rpmfusion (e.g. vlc) are verified with the keys. My question was why those two packages are installed because the Fedora 23 doesn't come with rpmfusion keys preinstalled ?

vlad1020 ( 2016-03-28 15:23:17 -0600 )edit

So, looks like my answer may be valid in theory only because of is this bug @vtrefny is mentioning.

florian ( 2016-03-28 15:39:06 -0600 )edit

add a comment

3

answered 2016-03-28 15:24:32 -0600

vtrefny

1797 ●7 ●27 ●47 http://blog.vojtechtre...

Seems to be a bug in Fedora 23 -- https://bugzilla.redhat.com/show_bug.... -- but only with packages installed locally (using an url or when installing manually downloaded packages) when you don't have the key.

edit flag offensive delete link

Comments

Uuuuh. That's a bad one. Good catch.

florian ( 2016-03-28 15:37:29 -0600 )edit

1

IMO big security issue and still no fix after 3 months...

vlad1020 ( 2016-03-28 15:42:25 -0600 )edit

Apparently, also for url packages, not only local/downloaded packages): https://bugzilla.redhat.com/show_bug....

florian ( 2016-05-18 10:12:35 -0600 )edit

add a comment

1

answered 2016-04-18 19:53:37 -0600

sergiomb

3932 ●13 ●65 ●83 http://www.serjux.com/

I think this duplicated question with: https://ask.fedoraproject.org/en/ques...

You may do :

rpm --import "http://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-free-fedora-23" "http://rpmfusion.org/keys?action=AttachFile&do=get&target=RPM-GPG-KEY-rpmfusion-nonfree-fedora-23"
dnf install http://download1.rpmfusion.org/free/fedora/rpmfusion-free-release-23.noarch.rpm http://download1.rpmfusion.org/nonfree/fedora/rpmfusion-nonfree-release-23.noarch.rpm

with gpg verification, so no need use --nogpg.

edit flag offensive delete link

add a comment

Why RpmFusion is installed if no key is installed ?

Comments

3 Answers

Comments

Comments

Question Tools

Stats

Related questions

Why RpmFusion is installed if no key is installed ? edit

Comments

3 Answers

Comments

Comments

Question Tools

Stats

Related questions

Why RpmFusion is installed if no key is installed ?