yum install http - is this safe?

Question

I am not very familiar with using yum to install packages. In a previous life I used apt.

Currently, I am looking at some instructions to run

# yum install http://example.com/package.rpm

which apparently will subscribe to a particular repository, from which further packages can be downloaded. Is this a safe thing to do?

For comparison, I know that apt packages have gpg signatures which means that downloads over http are not a problem. As described here. And when downloading packages outside the main repositories with apt, you can manually add a gpg key for apt to accept, to ensure that any non-standard packages have the same trusted source.

If I run the above command, will yum ask me to accept a gpg key before it starts installing things, or could it just install anything?

In case it is relevant, my /etc/yum.conf file contains gpgcheck=1 inside the [main] section.

Answer 1

There's a bit to explain with your question.

Firstly, it's important to understand how YUM and rpm work together:

1. RPM is a package format and there is a similarly named command line tool named rpm which installs individual RPM packages. You can think of the rpm command line tool as analogous to the dpkg command line tool as both install individual packages without their dependencies.
2. yum is a higher-level program which installs an RPM package and its dependencies. You can think of the yum command as analogous to apt-get as both can install a package and all of its dependencies.
3. When you run yum install you should use the package name, not the URL. For example: yum install package, similar to how you would run: apt-get install package.
4. If you have a package URL, you can run rpm -i https://url, but if you don't have the dependencies of the package installed, you will need to install them either one by one with rpm -i (painful) or with yum and a configured repository.

Now, as far as GPG goes there's a few things to understand that apply to both the Debian and RPM packaging systems, but the most important things to understand are:

1. Both systems have 2 sets of GPG signatures: GPG signatures on the packages themselves and GPG signatures on the repositories.
2. Debian packages do not have their GPG signatures checked and the official packages from both the Ubuntu and Debian project repositories are not GPG signed.
3. Both systems are vulnerable to a range of GPG replay attacks when used over clear text HTTP; you should absolutely, 100% install your packages via HTTPS and not plain text HTTP if at all possible.

As far a RPM and YUM GPG signatures:

1. First, you can specify the path or the URL to the GPG key in the configuration file with: gpgkey=https://example/gpg.key or gpgkey=/usr/share/example/gpg.key. You can specify multiple GPG keys, if more than 1 is needed.
2. Secondly, there are two options: gpgcheck=1 and repo_gpgcheck=1. The first option causes yum install to verify the GPG signature on the package itself, the second option verifies the GPG signature of the repository. Ideally, you should use both, but many repositories are not properly configured to support both.
3. The first time you run yum install, yum will attempt to import the GPG keys listed at gpgkey if they have not yet been imported. You will be prompted and asked to accept or decline.
4. You must have the pygpgme package installed on your system for GPG signatures to be verified. On most recent versions of RHEL and CentOS pygpgme is automatically installed a dependency of yum, but you should verify that it is installed on your system.
5. There is no equivalent of apt-transport-https, yum can speak over HTTPS out of the box, but you should ensure that the version of yum you are using has the sslverify option defaulted to enabled; some versions of yum do not. If your version does not, you should set it to enabled. It is critical to verify SSL certificates.

Even with GPG signatures on both the packages and the repositories, repositories are still vulnerable to replay attacks; you should access your repositories over HTTPS if at all possible. The short explanation of one attack is that a malicious attacker can snapshot repository metadata and the associated GPG signature at a particular time and replay that metadata and signature to a client which requests it, preventing the client from seeing updated packages. Since the metadata is not touched, the GPG signature will be valid. The attacker can then use an exploit against a known bug in the software that was not updated to attack the machine. You can read more about attacks on package managers in this paper.

I wrote two extensive blog posts about GPG and YUM / rpm as well as GPG and APT.

Please leave a comment if you have additional questions that I can answer; package management is incredibly hard to do correctly.