-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-18 01:41, Andrew David Wong wrote:
> On 2016-06-17 21:22, Andrew David Wong wrote:
>> On 2016-06-17 18:02, raahe...@gmail.com wrote:
>>> But what if when it says it can't verify key ignatures
>>> possibly? Will it automatically hit Y to continue? I wouldn't
>>> like that. Or what about any possible error messages? I still
>>> like to see the text on the screen.
>
>
>> The last time this question came up, the answer was "no, it would
>> not automatically say 'yes' to installing a package whose
>> signature cannot be verified."
>
>> If that turns out to be false, then I'll have to assume that all
>> of my templates are compromised.
>
>
> I decided to test this, just to make sure. Here's how I tested:
>
> 1. Installed fedora-23-minimal from the Qubes repos.
>
> 2. Inside fedora-23-minimal, renamed all the keys in
> /etc/pki/rpm-gpg.
>
> 3. Erased all keys that had been imported in rpm with this
> command:
>
> #rpm -e --allmatches gpg-pubkey-{hash}
>
> (Repeated for each gpg-pubkey-{hash}.)
>
> 4. From dom0, ran this command:
>
> $ qvm-run -a -p -u root fedora-23-minimal 'dnf -y upgrade'
>
> 5. Received this output from the template during the attempted
> upgrade:
>
> warning: /var/cache/dnf/updates-e042e478e0621ea6/packages/sqlite-
> libs-3.11.0-3.fc23.x86_64.rpm: Header V3 RSA/SHA256 Signature, key
> ID 34ec9cba: NOKEY
>
> Curl error (37): Couldn't read a file:// file for file:///etc
> /pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64 [Couldn't open file
> /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64]
>
Just to clarify: The update simply aborted after this. DNF did not
install or upgrade any packages, and no entry was made in dnf's
history log.
So, this is something that you'd notice only if you occasionally
grepped through your automatic update log (if you do automatic
updates). But at least you'd never automatically upgrade any
unverified packages. At worst, you'd just not upgrade any (which is
why it's important to check the log once in a while -- to make sure
you're still getting updates on all templates).
> So, it looks like using the '-y' (assumeyes) option is indeed safe
> as far as PGP/GPG signature verification on packages is concerned.
>
> If anyone has reason to suspect otherwise, or sees a flaw in this
> test, please do let us know.
>
>
- --
Andrew David Wong (Axon)
Community Manager, Qubes OS
https://www.qubes-os.org
-----BEGIN PGP SIGNATURE-----
iQIcBAEBCgAGBQJXZQtaAAoJENtN07w5UDAw2XwQAJTqCov7GOd8PKcMuWxxZffN
ho7wkrFdxziaj5Gzah03C1GDq1y7arl/5BQiTwzC3pCh4RyXXPA9ieVTzqexFC1M
YW5OyLWYpgRIXBqv0KlNV3hBMAQJDD/POQkzSEsyk3OVqQr2BjY1PR5pG0EhbMPn
NBxX1aNdj3mUMzrAbwg2sSRbQrpm0ppkl2rNqKq2Gig1q+xdOzAMsUwmF2Jzn/8n
1vkMabfTZNA/W+x7R1pbA2kHu/+75dC2VhC8NDAe/SMAEL16h/ncvwRalMGfTorG
OdFXA8rwzB4pf52X0mYo5QvZM8JRAn2DNk836HZ5bROmnGQwNE3ZDk94DpvLp4zK
wgQzRV2YqbcAVW3hA6/Y6rSoo7bBX8szsVKYZctfV3nIDHgxyqMb6aUelzfbFkXm
YAknG4SeCn0henU6Tbiy7FYQkxfyi6wSG7EghIyTKdG7C6mUKcIgd2+aEnkbhc2x
tzIuSCgksHl2sMTPcr7t0YqeoP3M3msruCTdew4/y89msGjp4M2hlJPtLfIasB+W
0b+C/u3dWRXXJWNi32r7R3/DuUhsdox46ElK2fzYufl58qk3znkk+HDNpJxLescs
aUttCjIj5GjtoerhEmyWjCUbj2Teyq+E8rDqrzd8k67d1yE0Y5nnqa7lK7oX4O2Z
huvqtVEZA7ZOvl/zbTq0
=9QLp
-----END PGP SIGNATURE-----
--
You received this message because you are subscribed to the Google Groups
"qubes-users" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to qubes-users+unsubscr...@googlegroups.com.
To post to this group, send email to qubes-users@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/qubes-users/a583a87c-cd7c-2d00-f9c7-05db3dc007d6%40qubes-os.org.
For more options, visit https://groups.google.com/d/optout.
