Can someone pitch in to explain if F40 and below users are prone to MTM attacks if they use unsecured http to download Fedora repo metadata?
Sounds like someone can swap out some package data and user will download a compromised package that will pass per package gpg checks (since signature data can be swapped out by an attacker).
Will this vulnerability be mitigated if we just use https for syncing repos?
Can you please elaborate on how this would be possible?
Each rpm package is signed with a gpg signature that dnf will check and compare with the expected signature. IMHO, that is a pretty safe process, so http is sufficient.
Someone in the middle (man-in-the-middle) can simulate fedora repo with a modified package over unsecured http, since there’s no GPG check over the repo data. That package will include a different GPG key for the modified package, so GPG check for the individual package will pass.
I was told this is not fixed for dnf version 4 (they don’t even provide a repo GPG key for Fedora repos)..
Each package is security signed before it’s uploaded to the repo
$ rpm -qi cinnamon bash gjs |grep Signature
Signature : RSA/SHA256, Wed 26 Feb 2025 16:55:01 GMT, Key ID c8ac4916105ef944
Signature : RSA/SHA256, Fri 08 Nov 2024 08:56:24 GMT, Key ID c8ac4916105ef944
Signature : RSA/SHA256, Thu 16 Jan 2025 22:21:16 GMT, Key ID c8ac4916105ef944
$ gpg -v /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-42-primary
gpg: enabled compatibility flags:
gpg: WARNING: no command supplied. Trying to guess what you mean ...
gpg: using pgp trust model
pub rsa4096 2024-02-12 [SCE]
B0F4950458F69E1150C6C5EDC8AC4916105EF944
uid Fedora (42) <fedora-42-primary@fedoraproject.org>
sig C8AC4916105EF944 2024-02-12 [selfsig]