[SERVER-8770] Sign RPM packages available via the 10gen yum repository Created: 27/Feb/13  Updated: 16/Nov/21  Resolved: 13/Aug/15

Status: Closed
Project: Core Server
Component/s: Packaging
Affects Version/s: None
Fix Version/s: 3.0.8, 3.1.7

Type: Improvement Priority: Major - P3
Reporter: Marcin Zaj?czkowski Assignee: Ernie Hershey
Resolution: Done Votes: 26
Labels: None
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Depends
Related
related to DOCS-5411 securely download the mongodb packages Closed
related to DOCS-7370 Add rpm signature verification to rpm... Closed
is related to SERVER-5455 Sign source archives (tgz, zip, etc) ... Closed
is related to SERVER-14036 Ubuntu Key File belongs to Richard Kr... Closed
is related to SERVER-19893 Generate packages on their own platforms Closed
Backwards Compatibility: Minor Change
Backport Completed:
Sprint: BUILD 2 04/24/15, BUILD 4 06/05/15, Build 5 06/26/16, Build 6 07/17/15, Build 7 08/10/15, Build 8 08/31/15
Participants:

 Description   

Packages available from 10gen yum repository (and probably all provided packages) should be signed using a GPG/PGP key. It makes it harder to compromise a yum repository (it is not enough to just replace RPM in a repo).



 Comments   
Comment by Githook User [ 11/Dec/15 ]

Author:

{u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}

Message: SERVER-19893, SERVER-8770 Fix SUSE packaging script references

I accidentally swapped Community and Enterprise while merging the
backport of these tickets.
Branch: v3.0
https://github.com/mongodb/mongo/commit/4108a655c5bbc7d99192dfe44a5621a390596bcf

Comment by Githook User [ 10/Dec/15 ]

Author:

{u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}

Message: SERVER-19893, SERVER-8770 - Fix notary client source archive extension
Branch: v3.0
https://github.com/mongodb/mongo/commit/c824d36046be8a512e09174137da060ea6632dd6

Comment by Githook User [ 06/Dec/15 ]

Author:

{u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}

Message: SERVER-19893, SERVER-14036, SERVER-8770 - Packaging improvements

  • Signing RPM's
  • Signing .DEB's with organization key instead of Richard's key
  • Generating packages on individual platforms in compile tasks
  • Trimming redundant Enterprise packaging python code
  • Miscellaenous cleanup, mostly to support the above goals

(cherry picked from commit ed856e8865097d996894f50893b2be479c5644fc)
Branch: v3.0
https://github.com/mongodb/mongo/commit/7ecff41d2fb6983abe8061b303720d3d14f9c6cc

Comment by Tehmasp Chaudhri [ 17/Nov/15 ]

@Ernie - can we please update the docs? I'm tracking this issue. I tried looking for a key on the repo.mongodb.com server but cannot find one for signed installation of packages for RHEL/CentOS.

Thanks very much!
Tehmasp

Comment by Ernie Hershey [ 13/Aug/15 ]

We need to update the RPM installation docs for Community and Enterprise to include gpg verification and importing our public key.

Comment by Githook User [ 12/Aug/15 ]

Author:

{u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}

Message: SERVER-19893, SERVER-14036, SERVER-8770 - Packaging improvements

Comment by Jason Woods [ 11/May/15 ]

Thanks ernie.hershey@10gen.com - good to see progress!

Regarding documentation:
http://docs.mongodb.org/manual/tutorial/install-mongodb-on-red-hat-centos-or-fedora-linux/
This still references HTTP and not HTTPS - I think it should be updated. Also - there's still no warning regarding gpgcheck=0 dangers. Additionally, no reference back to this ticket to get it the visibility it needs.

I appreciate time constraints and other work might be the cause - but from a user perspective, I cannot see very much being more important than ensuring official downloads and package repositories are secure and we are educated correctly as to the risks.

Looking forward to GPG packaging.

Comment by Ernie Hershey [ 23/Mar/15 ]

I'm sorry this isn't in place yet. If it helps, all packages from 3.0 forward are available over SSL at https://repo.mongodb.org/. Additionally all binary tarballs are available over SSL at https://fastdl.mongodb.org/ - for example - https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.6.8.tgz. All binary tarballs from 2.6 forward are also signed with signatures available by appending .sig to the download URL - for example - https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.6.8.tgz.sig. The public key is available at https://www.mongodb.org/static/pgp/server-2.6.asc.

Comment by Jarom Loveridge [ 21/Mar/15 ]

I 100% agree with Jason Woods. The lack of a signature and providing the files over HTPP instead of HTTPS is a serious issue and needs to be rectified. This is a very serious security oversight from MongoDB and is even more unacceptable for their enterprise packages. These are paying customers who are being exposed to security risks due to an unacceptable lack of security from their database vendor. (We are one such customer.)

Comment by Jason Woods [ 19/Jan/15 ]

It may also be beneficial to add a note to this ticket in the documentation next to the notice about unsigned packages and security implications. That will at least allow you to gather more accurate impact/exposure counts, as it will likely bring it more votes.

Comment by Jason Woods [ 19/Jan/15 ]

ernie.hershey@10gen.com Any idea on when this may be implemented?

I can see why there are small number of votes though. The official Mongo documentation explicitly tells the user to setup an inherently insecure package repository. I would advise that this documentation is updated to NOT do this. There is absolutely no warning there at all and WILL create a growing community of users who can be attacked via their mongodb repository, simply by DNS or other method of injecting malicious packages.

Personally, I think the combination of unsigned packages, and endorsing unsigned packages in the documentation, should be treated with the utmost urgency. At the very least, the documentation updated to emphasis to users that this needs to be addressed in their security policies.

Documentation here: http://docs.mongodb.org/manual/tutorial/install-mongodb-on-red-hat-centos-or-fedora-linux/
You can see the "gpgcheck=0" in the snippets with absolutely no explanation.
On a side note - the SELinux "implications" could be more clear too.

Comment by Michele Perucic [ 26/Nov/14 ]

Hi,
How can we get this issue prioritized?
On my side, I cannot move forward without it. The packages from the MongoDB repo have to be signed.
Please advise.

Comment by Ernie Hershey [ 26/Nov/14 ]

jkramarz - thanks a lot for your interest in participating. The work that needs to be done to sign RPM packages is in internal processes so the most helpful participation at the moment is to voting for this ticket and commenting to let us know that it's important to you.

Comment by Jakub Kramarz [ 10/Nov/14 ]

I've been deploying Spacewalk server for my company and ran into unsigned MongoDB packages problem.
As I have to get them signed at some stage, I'd rather prefer to help solving this issue instead of signing them locally after repository synchronization.
So... how can I participate?

Comment by Jason Woods [ 22/Aug/14 ]

Any update on when this might happen?

The repository URLs are HTTP too which renders the repository unusable in any security conscious environment.
GPG signing would be great, and then the GPG key just needs to be on a HTTPS site like the other downloads I guess.

Generated at Thu Feb 08 03:18:24 UTC 2024 using Jira 9.7.1#970001-sha1:2222b88b221c4928ef0de3161136cc90c8356a66.