While setting up a personal RPM repository, I noticed that the repositories configured in dom0 do not use the
Reading through the update command output, it seems indeed that no signature check is performed on the repos’ metadata. I am wondering why
As far as I can tell the
repo_gpgcheck option seems supported by DNF.
That option enables checking the signature of the
repomd.xml file in the repository. Because that file lists checksums for all the other metadata files, it allows to confirm who updated the repository.
A few things come to my mind:
The packages themselves are signed. Because those signatures are verified (
gpgcheckis enabled), the packages weren’t modified and it doesn’t really matter who put them in the repo as long as the key that signed them can be trusted. Am I understanding this correctly?
That seems reasonable to me in the case of a repository of individual packages, however in the case of a distribution like Fedora 32 or Qubes OS R4.0, couldn’t it be problematic if someone modified the versions of the packages available to allow a series of vulnerabilities to be exploited? Or is that too far-fetched in practice?
Would there be any drawbacks to actually enable
repo_gpgcheckfor my personal repository? (Signing the
repomd.xmlfile is trivial.)