I am not very familiar with using yum to install packages. In a previous life I used apt.
Currently, I am looking at some instructions to run
# yum install http://example.com/package.rpm
which apparently will subscribe to a particular repository, from which further packages can be downloaded. Is this a safe thing to do?
For comparison, I know that apt packages have gpg signatures which means that downloads over http are not a problem. As described here. And when downloading packages outside the main repositories with apt, you can manually add a gpg key for apt to accept, to ensure that any non-standard packages have the same trusted source.
If I run the above command, will yum ask me to accept a gpg key before it starts installing things, or could it just install anything?
In case it is relevant, my /etc/yum.conf
file contains gpgcheck=1
inside the [main]
section.
Best Answer
There's a bit to explain with your question.
Firstly, it's important to understand how
YUM
andrpm
work together:rpm
which installs individual RPM packages. You can think of therpm
command line tool as analogous to thedpkg
command line tool as both install individual packages without their dependencies.yum
is a higher-level program which installs an RPM package and its dependencies. You can think of theyum
command as analogous toapt-get
as both can install a package and all of its dependencies.yum install
you should use the package name, not the URL. For example:yum install package
, similar to how you would run:apt-get install package
.rpm -i https://url
, but if you don't have the dependencies of the package installed, you will need to install them either one by one withrpm -i
(painful) or withyum
and a configured repository.Now, as far as GPG goes there's a few things to understand that apply to both the Debian and RPM packaging systems, but the most important things to understand are:
As far a RPM and YUM GPG signatures:
gpgkey=https://example/gpg.key
orgpgkey=/usr/share/example/gpg.key
. You can specify multiple GPG keys, if more than 1 is needed.gpgcheck=1
andrepo_gpgcheck=1
. The first option causesyum install
to verify the GPG signature on the package itself, the second option verifies the GPG signature of the repository. Ideally, you should use both, but many repositories are not properly configured to support both.yum install
,yum
will attempt to import the GPG keys listed atgpgkey
if they have not yet been imported. You will be prompted and asked to accept or decline.pygpgme
package installed on your system for GPG signatures to be verified. On most recent versions of RHEL and CentOSpygpgme
is automatically installed a dependency ofyum
, but you should verify that it is installed on your system.apt-transport-https
,yum
can speak over HTTPS out of the box, but you should ensure that the version ofyum
you are using has thesslverify
option defaulted to enabled; some versions ofyum
do not. If your version does not, you should set it to enabled. It is critical to verify SSL certificates.Even with GPG signatures on both the packages and the repositories, repositories are still vulnerable to replay attacks; you should access your repositories over HTTPS if at all possible. The short explanation of one attack is that a malicious attacker can snapshot repository metadata and the associated GPG signature at a particular time and replay that metadata and signature to a client which requests it, preventing the client from seeing updated packages. Since the metadata is not touched, the GPG signature will be valid. The attacker can then use an exploit against a known bug in the software that was not updated to attack the machine. You can read more about attacks on package managers in this paper.
I wrote two extensive blog posts about GPG and YUM / rpm as well as GPG and APT.
Please leave a comment if you have additional questions that I can answer; package management is incredibly hard to do correctly.