Improving CentOS package delivery security with signed repository metadata
Monday, 9, July 2018 Neal Gompa altarch, announcement, builds, distro, General No Comments

With the release of CentOS 7.5.1804, the CentOS Project has taken the next big step in improving software delivery security by signing all repository metadata for CentOS 6 and CentOS 7 for all architectures, including the repositories for CentOS Special Interest Groups (SIGs) produced by the CentOS Community Build System (CBS).

Wait, what do you mean signed repository metadata?

As most users of Linux distributions know, software is delivered in the form of “packages” to users through repositories. Packages are installed by their package manager (such as YUM or DNF) by fetching information about the repository to identify what it can get to do a particular user action (install new package, upgrade existing ones, and so on).

But how do you validate that the software you are getting is the software you are supposed to get? Most Linux distributions do this by digitally signing the packages using a signature that uniquely identifies the distributor via GPG. The advantage of this is that no matter what mechanism you receive the package (via repository, direct download, or on a flash drive), you can validate the signature and be assured it is a package from the distribution.

But there is a gap here: how are you assured that the repository hasn’t been tampered with? This is a specific type of vulnerability that applies only to package repositories, because they provide files that contain an index of the software in the repository, and how to fetch them. The way to close this hole is to provide a means of verifying the repository metadata is good, too. This allows the package manager to verify that the metadata is what it should be and is from the distribution before starting to process the metadata. This can help with avoiding certain types of attacks due to malformed metadata files.

We started doing this in 2015 for the main CentOS core repositories, and now we’re offering this for all repositories published by the CentOS Project.

Sounds great! How do I use it?

At the time of this writing, we do not automatically validate the repository metadata. If you want to do this, simply add the following line to the YUM repository configuration file (They are *.repo files in /etc/yum.repos.d):

repo_gpgcheck=1

If you want to enforce this globally, you can set this in /etc/yum.conf instead, though be warned that repositories like Fedora EPEL will not work since Fedora Infrastructure is currently working on signing repository metadata.

I’m a SIG maintainer and I’d like to have this by default, what do I do?

Great question! If you’re a SIG maintainer and manage the repository configuration package (i.e. centos-release-* packages), then you can choose to make this the new default for repository configuration.

To do so, just simply add “repo_gpgcheck=1” to the .repo files in your package, and it will enable it. On next update, if the user hasn’t touched/modified the *.repo files, it’ll switch on. New installations will get it as well, too.

Again, though, if you use Fedora EPEL in your repo configuration, you must not add the setting to the EPEL section in your configuration.

Leave a Reply

Your email address will not be published. Required fields are marked *