Uploaded image for project: 'RHEL Conversions'
  1. RHEL Conversions
  2. RHELC-600

Set gpgcheck=1 for ubi and centos6 repos

XMLWordPrintable

    • 1
    • 2022-Q3

      In subscription.py we are creating yum repo files so that we can download subscription-manager and related packages from ubi. The repo files set gpgcheck=0 but we should set it to gpgcheck=1 instead.

      This is not easily exploitable since we also hardcode the https url to the ubi repos so an attacker would have to have access to our cdn in order to upload malicious packages.

      The related bugzilla; https://bugzilla.redhat.com/show_bug.cgi?id=2086827

      Setting the gpgcheck to 1 does not enable the package signature verification when downloading packages from the repos. It enables it when installing packages from the repos directly. That's what we need to do under RHELC-601.

      Acceptance criteria:

              tkuratom@redhat.com Toshio Kuratomi
              tkuratom@redhat.com Toshio Kuratomi
              Anna Marie Syed (Inactive), Freya Gustavsson, Michal Bocek
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated:
                Resolved: