Proposal: Discourage rpmbuild --sign

Warren Togami warren at togami.com
Wed Dec 31 12:42:28 UTC 2003


Proposal
========
rpm-4.2.2 in rawhide and all future versions should discourage the use 
of rpmbuild --sign.  Perhaps this can be done effectively by adding a 
large and annoying warning message and 15 second delay.  Or disable it 
completely.  I don't care how, just discouragement should be done.

Why?

By allowing rpmbuild --sign to be not annoying, then people tend to 
think that it is the proper way to build and sign packages.  This is 
totally not the case for one key reason: Safety.

It is possible, however unlikely, that trojans hiding within SRPMS that 
you build could steal your GPG keys since they are running as the same 
user as the GPG signing keys.  They have access to memory used by gnupg, 
as well as access to the files in ~/.gnupg.  The passphrases can be 
stolen, or the files themselves stolen and passphrase cracked.  (It is a 
lot easier to crack a passphrase when you have both the private and 
public key.)

When a user attempts rpmbuild --sign, the warning message should 
indicate that it is bad, and to read a webpage at rpm.org for more 
information.  That webpage should explain in detail why it is a bad 
practice, and the following proper safer procedure.

1) rpmbuild as non-root user foo.
2) Copy the packages to non-root user foobar.
3) Use rpm --addsign to sign packages as non-root user foobar.

Protection of GPG keys must be of the highest importance, and I know for 
a fact that some of the popular 3rd party repositories are still using 
rpmbuild --sign.  The risk to the community is just too great, and the 
mitigating fix for this is exceedingly simple.

Sane idea?

Warren Togami
warren at togami.com





More information about the fedora-devel-list mailing list