Is there a way to check RPM signatures during a kickstart install?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
Is there a way to check RPM signatures during a kickstart install?
If the kickstart configuration file allows for a "%pre" section you could run custom commands there. However checking RPM signatures implies you have something to check against. Sounds more like an implementation rather than a Linux Security question to me.
%pre doesn't seem to work. I think the reason is that the RPM database has not been created, so the gpg keys can't be imported, at the time %pre is run.
The only way I have found to do this is by modifying the kickstart and yum python scripts. Will post patches once I have it debugged it.
However checking RPM signatures implies you have something to check against.
One of the very first things he'd need to do is import the public key into rpm(8)'s consciousness to check signatures.
Quote:
Originally Posted by dcellis1950
%pre doesn't seem to work. I think the reason is that the RPM database has not been created, so the gpg keys can't be imported, at the time %pre is run.
Hmm, that surprises me. But I have not tested this. Where is kickstart pulling packages from? One idea is you could verify the package sigs prior to install time from another, working system. With some creativity you could even automate this (again using a process on another, working system).
I have been able to add a python method to the yum code. It imports all keys from the directory /etc/pki/rpm-gpg. This needs to be run between the creation of the RPM database and the start of installation. Still debugging and seeing if I can improve it.
The problem with %pre is that the RPM database has not been created yet and so keys can't be imported.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
Is there a way to check RPM signatures during a kickstart install?
