Issue
I want to install a CentOS package from a mirror on the internet.
e.g. http://mirror.centos.org/centos-7/7/os/x86_64/Packages/unixODBC-2.3.1-14.el7.x86_64.rpm
That URL is http:// not https://, so there's no TLS encryption.
Downloading binaries from the internet without encryption in transit and authenticity checking seems like a bad idea from a security perspective.
If I modify the URL to add an s, making it https://, the download doesn't work. That server does not serve anything on 443 HTTPS.
So it seems my only choice is to download the file without TLS.
Unlike some Linux ISO files, there are no .md5 and .asc files next to the main file. So I cannot manually check the file hash against a signature.
How does security work for RPMs? If I have no encryption or certificate checking when I download, is there some other chain of trust? e.g. do RPMs contain a public key inside the file (e.g. GPG/PGP) that yum compares to one it already trusts? Or would I be installing a completely untrustworthy file? (
Solution
RPM packages can be signed with GPG signatures. All major RPM-using distributions (eg, CentOS, Fedora, RHEL) do that.
If an RPM is signed, dnf/yum will verify the signature when you try and install the package. If it's signed by an unknown signature, they will prompt you about trusting it. If the signature doesn't verify, they will abort the install.
HTTPS provides a bunch of guarantees, but they really boil down to: the data transmission between the mirror and your computer is secure (confidential, and un-tampered). It doesn't prevent someone malicious from modifying the package on the mirror itself. Or it doesn't prevent someone from setting up a bunch of malicious packages on a fake mirror and making them available to you.
GPG, on the other hand, lets you verify that the packages you are installing were published by an authorized system (eg, official CentOS build system) and hasn't been modified since.
You can use both GPG + HTTPS to get advantages of both.
Using just GPG + HTTP, though, means someone spying can see what you are downloading. But due to GPG, if they send you malicious data, you will identify it and abort the installation.
Answered By - omajid Answer Checked By - Cary Denson (WPSolving Admin)