Yes, also further to Mario's comment (you do need to restart the daemon) you also need to clear the persistent gpg2 keyring. I perhaps wasn't clear we also using the persistent keyring store -- using commit https://github.com/hughsie/fwupd/commit/e4141f4f234d258424020069dadf8df39848a119 I see (using the defaults):
11:14:53 importing key 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2 [0] Success 11:14:53 Using signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2 And then, if I replace the LVFS key in fwupd-metadata with another (e.g. RPM-GPG-KEY-rpmfusion-nonfree-fedora-25) and restart the daemon: 11:21:24 Adding public key /etc/pki/fwupd-metadata/RPM-GPG-KEY-rpmfusion-nonfree-fedora-25 11:21:24 importing key DD7525B6184B0512AA8CB1002E59159B96CA6280 [0] Success 11:21:24 Using signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2 So it is somewhat confusing that we're still using the "removed" LVFS key for verification success. I suppose it's a bug we're using the default persistent store (of root), which I supposed could be fixed using gpgme_ctx_set_engine_info() and setting the homedir to something like /usr/lib/fwupd -- although this might not be expected if you want to just import a key as a root user and then expect it just to work with fwupd. So, certainly not a CVE, but somewhat non-obvious. I'd be open to changing the keyring to be fwupd-specific (and adding docs) if this would make things more obvious, although I'd have to check with the Red Hat security team again before doing so. As for changing /tmp/firmware.xml.gz.asc I'm not exactly sure what you mean; there is of course no inotify watch there. We download the files and then open them, sending the file descriptors to the daemon rather than as a filename or data blob. The download check is being done on the large firmware files themselves, using the data from the metadata, so I'm a little confused what you're trying to do. If you want to test corrupting the metadata or signing files the best way to do this would be to edit fu-util.c and modify the data before it gets squirted to the daemon as a pair of file descriptors. -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1536871 Title: [MIR] fwupd To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/fwupd/+bug/1536871/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
