Skip to content

fix: Enforce GPG signature checks on RPM repo#606

Open
dz0ny wants to merge 1 commit into
mainfrom
fix/enforce-rpm-gpgcheck
Open

fix: Enforce GPG signature checks on RPM repo#606
dz0ny wants to merge 1 commit into
mainfrom
fix/enforce-rpm-gpgcheck

Conversation

@dz0ny

@dz0ny dz0ny commented Jul 6, 2026

Copy link
Copy Markdown
Member

The published paretosecurity.repo set gpgcheck=0, so dnf never
verified the RPM's GPG signature even though the installer imports
the Pareto key first and every RPM is properly signed at release
time. A compromised or mispublished repo/CDN/artifact path could
have served an unsigned or maliciously signed package with no
policy check blocking the install.

Set gpgcheck=1 and add a release step that fails if the published
repo file ever reverts to gpgcheck=0.

Refs https://github.com/teamniteo/pareto/issues/864

The published paretosecurity.repo set gpgcheck=0, so dnf never
verified the RPM's GPG signature even though the installer imports
the Pareto key first and every RPM is properly signed at release
time. A compromised or mispublished repo/CDN/artifact path could
have served an unsigned or maliciously signed package with no
policy check blocking the install.

Set gpgcheck=1 and add a release step that fails if the published
repo file ever reverts to gpgcheck=0.

Refs teamniteo/pareto#864
@github-actions

github-actions Bot commented Jul 6, 2026

Copy link
Copy Markdown

🚀 Dev Builds Available

Development builds for this PR are available in the workflow artifacts.

Available builds:

  • Windows (agent, installer, tray)
  • Linux (agent)
  • macOS (agent)

Download the build artifact to test the latest changes.

@dz0ny dz0ny marked this pull request as ready for review July 6, 2026 13:21
@dz0ny dz0ny requested review from Copilot and zupo July 6, 2026 13:21

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR hardens the RPM installation path by ensuring DNF enforces GPG signature verification for packages delivered via the published paretosecurity.repo, and adds a release guardrail to prevent regressions.

Changes:

  • Set gpgcheck=1 in the published RPM repo configuration so DNF verifies RPM signatures.
  • Add a CI/release step that fails if the published .repo file does not contain gpgcheck=1.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
apt/rpm/paretosecurity.repo Enables RPM signature enforcement via gpgcheck=1.
.github/workflows/release.yml Adds a release-time check to prevent gpgcheck from reverting.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants