No package verification nor download integrity on CentOS/RHEL repositories
|Assignee:||Vlastimil Holer||% Done:|
|Target version:||Release 5.4|
|Affected Versions:||OpenNebula 4.0, OpenNebula 4.10, OpenNebula 4.12, OpenNebula 4.14, OpenNebula 4.2, OpenNebula 4.4, OpenNebula 4.6, OpenNebula 4.8, OpenNebula 5.0|
There is a major security issue regarding the packages for CentOS/RHEL.
Not only is there no GPG signature that can be checked, but HTTPS is not enabled as well.
Someone can effectively man in the middle the repository and no one would be able to tell the difference. This can allow for remote code execution in sensitive environments.
The proper fix for this, and what any major project should be doing is, to sign the packages with GPG and enable the key check. You can require a key download as part of the step, just ensure it is either done over HTTPS or that there is another way to check the key integrity.
If this is somehow not feasible, one can enable HTTPS on the repository server. Since Let's Encrypt has become public there is no reason for software source to not be served securely nor without signatures.
#4 Updated by Javi Fontan over 4 years ago
- Assignee set to Javi Fontan
From now on the new repositories will have both the rpm packages and repository signed. The key is the same as Debian repos (https://downloads.opennebula.org/repo/Debian/repo.key).
Also the downloads server can now be accessed using https (Let's Encrypt certificates).
I'll leave this ticket open to update the documentation and testing environment. Here is the repo conf to use as base for documentation:
[opennebula] name=opennebula baseurl=https://downloads.opennebula.org/repo/... enabled=1 gpgcheck=1 repo_gpgcheck=1 gpgkey=https://downloads.opennebula.org/repo/Debian/repo.key
repo_gpgkey really needed?
#6 Updated by Vlastimil Holer over 4 years ago
- Pull request set to https://github.com/OpenNebula/docs/pull/87/commits/5a2097c8f45d9144bae5b820c3d18b9fc1154efa
- https is used for (apt/yum) repositories and
- gpgcheck=1 is enabled (leaving repo_gpgcheck commented) for yum.