sailfishos-chum
Integrity protection for downloaded RPMs
When installing from chum, it downloads the packages via http and does not check any GPG signatures (because there are none). This means that, right now, any one who can hijack an HTTP connection can make you install & execute arbitrary code (which we don't want, duh).
I see some possible (quick) fixes:
- enable HTTPS on repo.merproject.org Apparently this is what Jolla does right now for their own repos. No GPG signatures as well but at least some transport protection. On repo.merproject.org, TLS support appears to be available but the configuration seems to be broken...
- GPG sign all packages in sailfishos:chum
- figure out a way to use OpenBSD's signify with RPMs
What are the plans on this? The first option might be the most preferable right now, but the latter could be the best in the long term.
https is now available, we will have to enable it by default in chum meta-package
Just released repositories definitions (package sailfishos-chum) which switches to https. In few minutes, running update
zypper ref
zypper up
should result in update of that package and Chum repositories should switch to https.
As for signing, not yet there and I don't think anyone is working on it now.
If I'm not mistaken, only Jolla can help here since they need to have a publicly visible [email protected] address and public key AND set up the rpm signing. There isn't really anything we can do, is there?
