Enforcing signature checking by default
This is a proposed Change for Fedora Linux.
This document represents a proposed Change. As part of the Changes process, proposals are publicly announced in order to receive community feedback. This proposal will only be implemented if approved by the Fedora Engineering Steering Committee.
Summary 
Change the RPM default package verification mode to enforcing signature checking, to follow upstream RPM 6.0 default:
only packages with a verified signature can be installed, unless explicitly overridden by --nosignature or corresponding API.
Owner
- Name: [[User:pmatilai| Panu Matilainen]]
- Email: pmatilai@redhat.com
Detailed Description
On RPM level, this is a one-line configuration change: %_pkgverify_level default is changed from digest to all, which
requires packages to have both a verified signature(s) and digest(s) to be installable. This means rpmkeys -K/--checksig will fail on unsigned packages, and rpm will refuse to install such packages, unless explicitly overridden with --nosignature (or corresponding API).
This change was originally intended to happen as a side-effect of Changes/RPM-6.0 - Fedora Project Wiki
but was postponed to Fedora 44 due to time and resource reasons.
DNF5 >= 5.2.14.0 (in Fedora >= 42) has the necessary integration to allow disabling the verification on per-package
basis to support repositories with disabled signature checking. This is used by mock to handle newly
built, unsigned packages, and continues to work without further changes.
Mock has a plugin for signing locally built packages, and COPR has it’s own automatic signing.
For packages locally built with rpmbuild, RPM >= 6.0 supports automatic signing by a passwordless key to make local rpmbuild
use almost as seamless as before, and comes with a easy one-time setup script: /usr/lib/rpm/rpm-setup-autosign.
Feedback
Benefit to Fedora
The traditional RPM <= 4.x behavior was to verify a signatures if they are present and verifiable, but never require it. That behavior may have
been somehow acceptable in the nineties, but does not meet the security expectations of modern times. Besides being insecure, the semantics
cause quirky and non-obvious behavior in various situations.
Higher level package managers like yum and dnf/dnf5 have implemented their own enforcing signature modes, enabled by default
since the beginning of Fedora. This change brings the RPM side default behavior to this millenium.
Scope
-
Proposal owners:
** Change the RPM configuration.
** Assist with with adoption as necessary, and address possible unforeseen / newly found issues in rpm/dnf/mock -
Other developers:
** Adjust their local package building workflows to either use signed packages or explicitly disable the signature checking where necessary (see compatibility impact). -
Release engineering: [Making sure you're not a bot! #13027]
-
Policies and guidelines: N/A (not needed for this Change)
-
Trademark approval: N/A (not needed for this Change)
-
Alignment with the Fedora Strategy: Improved security should align with Fedora strategy, whether written down or not.
Upgrade/compatibility impact
There’s no impact on the average system only utilizing packages from official or 3rd party repositories.
Dnf, mock, the official Fedora buildsystem and COPR should be fully compatible with this change as-is.
However, this change will almost certainly require some changes to rpm/rpmbuild related workflows that the RPM team hasn’t even heard of.
In some cases it might be sufficient to import relevant keys before operating on packages. Ideally, workflows involving unsigned packages are
updated to use signed packages. Where that is not immediately or easily feasible, explicit --nosignature (or corresponding API)
switches or local configuration change to a more permissive policy may need to be added to scripts / system configuration.
Changes might be needed if there are local rpmbuild-related workflows, see Scope.
Early Testing (Optional)
N/A
How To Test
This will receive thorough testing in everyday system use through system updates and on the buildsystem side, building packages. Specific items to test locally include:
- Try to install or verify an unsigned package (must fail)
- Try to install or verify a signed package whose key is not imported (must fail)
- Try to install or verify both of the above with
--nosignature(should succeed if legit package) - Test automatic signing in rpmbuild:
** Run/usr/lib/rpm/rpm-setup-autosign
** Import the key as indicated by rpm-setup-autosign output
** Build some package(s)
** Try to install those packages (must not fail due to signature)
User Experience
- Packages without verifiable signature(s) cannot be installed without an explicit override.
Dependencies
- dnf, mock, koji, copr are related but the buildsystem(s) are expected to work with no further changes
- there may be unforeseen / unknown dependencies in the infrastructure
-
dnf --no-gpgchecksneeds [--no-gpgchecks does not override rpm enforcing policy · Issue #2479 · rpm-software-management/dnf5 · GitHub integration]
Contingency Plan
- Contingency mechanism: Revert back to digest verification by default for F44 and try again in F45.
- Contingency deadline: beta freeze
- Blocks release? Yes
Documentation
The package verification policy configurables (%_pkgverify_*) are documented in the
[rpm-config(5) rpm-config(5)] manual.
Release Notes
Last edited by @alking 2025-10-23T17:31:53Z
Last edited by @alking 2025-10-23T17:31:53Z
instead of reiterating. You can even do this by email, by replying with the heart emoji or just “+1”. This will make long topics easier to follow.