LinuxQuestions.org
Visit Jeremy's Blog.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices



Reply
 
Search this Thread
Old 09-15-2010, 12:27 PM   #1
dcellis1950
LQ Newbie
 
Registered: Nov 2009
Posts: 14

Rep: Reputation: 2
Question Is there a way to check RPM signatures during a kickstart install?


Is there a way to check RPM signatures during a kickstart install? Seems as if the signatures are not checked during an installation.
 
Old 10-11-2010, 05:04 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 27,707
Blog Entries: 54

Rep: Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965Reputation: 2965
Quote:
Originally Posted by dcellis1950 View Post
Is there a way to check RPM signatures during a kickstart install?
If the kickstart configuration file allows for a "%pre" section you could run custom commands there. However checking RPM signatures implies you have something to check against. Sounds more like an implementation rather than a Linux Security question to me.
 
Old 10-13-2010, 06:53 AM   #3
dcellis1950
LQ Newbie
 
Registered: Nov 2009
Posts: 14

Original Poster
Rep: Reputation: 2
Solution.

Thank you for your response.

%pre doesn't seem to work. I think the reason is that the RPM database has not been created, so the gpg keys can't be imported, at the time %pre is run.

The only way I have found to do this is by modifying the kickstart and yum python scripts. Will post patches once I have it debugged it.
 
Old 10-13-2010, 02:57 PM   #4
anomie
Senior Member
 
Registered: Nov 2004
Location: Texas
Distribution: RHEL, Scientific Linux, Debian, Fedora, Lubuntu, FreeBSD
Posts: 3,930
Blog Entries: 5

Rep: Reputation: Disabled
Quote:
Originally Posted by unSpawn
However checking RPM signatures implies you have something to check against.
One of the very first things he'd need to do is import the public key into rpm(8)'s consciousness to check signatures.

Quote:
Originally Posted by dcellis1950
%pre doesn't seem to work. I think the reason is that the RPM database has not been created, so the gpg keys can't be imported, at the time %pre is run.
Hmm, that surprises me. But I have not tested this. Where is kickstart pulling packages from? One idea is you could verify the package sigs prior to install time from another, working system. With some creativity you could even automate this (again using a process on another, working system).
 
Old 10-14-2010, 07:28 PM   #5
dcellis1950
LQ Newbie
 
Registered: Nov 2009
Posts: 14

Original Poster
Rep: Reputation: 2
Solution

I have been able to add a python method to the yum code. It imports all keys from the directory /etc/pki/rpm-gpg. This needs to be run between the creation of the RPM database and the start of installation. Still debugging and seeing if I can improve it.

The problem with %pre is that the RPM database has not been created yet and so keys can't be imported.

Thanks for the help.
 
Old 10-14-2010, 07:31 PM   #6
dcellis1950
LQ Newbie
 
Registered: Nov 2009
Posts: 14

Original Poster
Rep: Reputation: 2
As to this not being a security question, maybe, maybe not. But I feel installing unverified RPMS is a security problem.
 
  


Reply

Tags
installation, kickstart


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
RedHat kickstart post fglrx rpm install not working dizowned Linux - Software 3 02-26-2010 08:21 AM
how to update rpm signatures for YOU to work? djc Linux - Newbie 2 02-18-2005 02:24 PM
apt-rpm, SuSE 9.1, and signatures MachineShedFred Linux - Distributions 4 07-28-2004 08:59 AM
why do i keep getting bad signatures on rpm installs? webazoid Linux - Software 6 07-15-2004 11:02 PM
"Bad signatures"- unsuccessful rpm installation kpachopoulos Linux - Software 1 03-01-2004 11:15 AM


All times are GMT -5. The time now is 08:32 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration