Yum proxy modifies repomd.xml which causes signature verification to fail

zcrisler · May 4, 2020, 10:35pm

I’m using Podman to run Nexus via the sonatype/nexus3:3.22.1 image. I have a Yum proxy repository to a remote that includes a valid signature (repomd.xml.asc) and public key (repomd.yml.key) for the repository metadata (repomd.xml). All is well when using the remote directly (i.e., zypper is able to verify signatures), but when using the nexus-proxy proxied repository zypper ref reports that repomd.xml has been modified after it was signed:

# zypper ref -r nexus-proxy
Retrieving repository 'nexus-proxy' metadata ------------------------------------------------------------------------[\]
Signature verification failed for file 'repomd.xml' from repository 'nexus-proxy'.

    Note: Signing data enables the recipient to verify that no modifications occurred after the data
    were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system
    and in extreme cases even to a system compromise.

    Note: File 'repomd.xml' is the repositories master index file. It ensures the integrity of the
    whole repo.

    Warning: This file was modified after it has been signed. This may have been a malicious change,
    so it might not be trustworthy anymore! You should not continue unless you know it's safe.

Signature verification failed for file 'repomd.xml' from repository 'nexus-proxy'. Continue? [yes/no] (no):

If GPG checks are disabled, zypper obvioulsy doesn’t complain and happily pulls packages through the proxy.

Diffing the remote repomd.xml (remote-repomd.xml) against the proxied one (repomd.xml) gives:

# diff remote-repomd.xml repomd.xml
1,2c1
< <?xml version="1.0" encoding="UTF-8"?>
< <repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
---
> <?xml version="1.0" encoding="UTF-8" standalone="no"?><repomd xmlns="http://linux.duke.edu/metadata/repo" xmlns:rpm="http://linux.duke.edu/metadata/rpm">
159c158
< </repomd>
---
> </repomd>
\ No newline at end of file

Clearly repomd.xml is not the same, but the only differences appear to be standalone="no" and missing newlines. Is this expected behavior?

Going further, the signature (and public key) obtained from the proxy is valid on the remote repomd.xml but not-valid on the proxy’s repomd.xml:

# gpg2 -k
gpg: keybox '/root/.gnupg/pubring.kbx' created
gpg: /root/.gnupg/trustdb.gpg: trustdb created
# gpg2 --import repomd.xml.key 
gpg: key 70AF9E8139DB7C82: public key "SuSE Package Signing Key <build@suse.de>" imported
gpg: Total number processed: 1
gpg:               imported: 1
# gpg2 --verify repomd.xml.asc remote-repomd.xml 
gpg: Signature made Wed 08 Jan 2020 04:07:18 PM UTC
gpg:                using RSA key 70AF9E8139DB7C82
gpg: Good signature from "SuSE Package Signing Key <build@suse.de>" [unknown]
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: FEAB 5025 39D8 46DB 2C09  61CA 70AF 9E81 39DB 7C82
# gpg2 --verify repomd.xml.asc repomd.xml 
gpg: Signature made Wed 08 Jan 2020 04:07:18 PM UTC
gpg:                using RSA key 70AF9E8139DB7C82
gpg: BAD signature from "SuSE Package Signing Key <build@suse.de>" [unknown]

Disabling GPG checks at the client is not an appropriate workaround for my use-case. Is Nexus unable to proxy Yum repositories with metadata signatures and keys without disabling GPG checks?

zcrisler · May 14, 2020, 6:23pm

I ended up working around this issue by using raw proxy repositories. I get the impression that this is an understood limitation with yum proxies and using raw proxies is the right solution; but then, no one responded to this discussion pointing that out. It seems to me that Nexus should handle metadata signatures for proxy repositories, either by not modifying the metadata, not proxying the signatures, or by producing new signatures. What do other people think? Should I open an issue?

sverre.moe · June 9, 2021, 9:35am

We have the same problem when trying to proxy OpenSUSE Yum repositories.
Since this is being used in Docker, we cannot automatically accept the “wrong” repomd.xml.

Is there no proper solution to this problem?

Could the solution be to sign the proxy repository ourself with our own GPG key?
https://help.sonatype.com/repomanager3/formats/yum-repositories/gpg-signatures-for-yum-proxy-group

I tried to follow this to add our GPG key, but there is no such Signing Key section of the Yum Proxy repository in our Nexus 3.29.2.

Seems this is a feature that was released with Nexus 3.30.0

timur · February 2, 2024, 11:03am

With the recent change of the GPG key of the PGDG repository, I’ve been bashing my head about why I’m getting a failure on repository metadata verification.

PostgreSQL common RPMs for RHEL / Rocky / AlmaL
Failed to download metadata for repo 'pgdg-common': repomd.xml GPG signature verification error: Bad GPG signature

After many iterations, I came down to the idea of comparing what repomd.xml
I do get it by direct download and through the YUM proxy. In my case, those files were different by 2 times! The original one had a bunch of records that were removed from the proxied version. Despite invalidating the cache and deleting relevant files I kept getting filtered versions.

I couldn’t find easily any description in the documentation of this behaviour and the easiest solution to my problem was to change the .repo file setting to repo_gpgcheck=0. That masked the problem, but the real cause of it is that Nexus3(3.63.0-01) alters repomd.xml files without modifying the corresponding .asc file. As of now, you can configure the signing of that information with your own GPG key, but that has to be configured all around, including all your .repo files.

Amusingly, I found only this post regarding this issue in the Nexus3. Could be that repo_gpgcheck is set by default in very rare cases, like out of 40 repos I have only PGDG does that.