deltarpm icon indicating copy to clipboard operation
deltarpm copied to clipboard
verified publisher icon rpm-software-management

Document if delta RPMs are signed

Open DemiMarie opened this issue 4 years ago • 8 comments

Are delta RPMs signed?

DemiMarie avatar Feb 04 '21 19:02 DemiMarie

They are normal rpms with just a different payload, so they can be signed as well. I don't know about Fedora, but SUSE signs the generated delta rpms.

As they completely live outside of rpm I don't see why the rpm project should document something about them.

mlschroe avatar Feb 05 '21 15:02 mlschroe

The bigger question is whether DNF verifies these signatures.

DemiMarie avatar Feb 05 '21 18:02 DemiMarie

I've taken some random drpm from Fedora repo: https://ftp-stud.hs-esslingen.de/pub/fedora/linux/updates/33/Everything/x86_64/drpms/firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm It is not only not signed, but also package digest doesn't match:

$ rpm -K firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm
firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm: DIGESTS NOT OK

It looks like the header is from the new package (which matches vague description in https://github.com/rpm-software-management/deltarpm/blob/master/README). If that's really the case, the signature in the header can't possibly match the deltarpm payload, because it is different payload than the target rpm package. I think what @DemiMarie asked is whether the format permits a signature check before processing actual payload. My understanding is: it does not.

marmarek avatar Feb 07 '21 01:02 marmarek

Indeed that is what I am asking. If @marmarek is correct, then this is a serious security weakness in the delta RPM format, and delta RPMs should be disabled by default. The same reasoning for RPM Copy on Write applies here.

DemiMarie avatar Feb 08 '21 10:02 DemiMarie

The signatures of a delta rpm are in its signature header, that's why they match the deltarpm payload and not the original rpm payload.

The exception is the new RPMTAG_PAYLOADDIGEST/RPMTAG_PAYLOADDIGESTALGO tags that have been added a couple of months ago. Maybe that's what rpm -K complains about... (maybe add the -v option to get more output?) We'd need to tweak them like we do with the payloadcompressor to make them match.

mlschroe avatar Feb 08 '21 16:02 mlschroe

Yes, it seems so:

firefox-x11-85.0-5.fc33_85.0-8.fc33.x86_64.drpm:
    Payload SHA256 ALT digest: BAD (Expected df190725901ecc553c9002649c70c95adb9a12bd934f7bf1d9e2fb5458b45fb8 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    Payload SHA256 digest: BAD (Expected 42d6bbdfcdbbd4deb4211b1bcc565454ccc751648f051933ed25e26bcf3a56c9 != d9c8f0e9dc1f4f1351fce180f8757b646d0a4d8724960a6e02a9e4b9bfc56d70)
    MD5 digest: OK

marmarek avatar Feb 08 '21 16:02 marmarek

@mlschroe can we add signature verification functionality to the deltarpm tool, and turn it on by default? I can’t think of many legit use cases for unsigned delta RPMs.

DemiMarie avatar Feb 08 '21 18:02 DemiMarie

You're supposed to use rpm to check the signature of the delta rpm.

(Also note that the repodata usually contains a checksum for the delta rpm, so it's more like how much you trust the metadata.)

mlschroe avatar Feb 09 '21 09:02 mlschroe