[SERVER-8770] Sign RPM packages available via the 10gen yum repository Created: 27/Feb/13 Updated: 16/Nov/21 Resolved: 13/Aug/15 |
|
| Status: | Closed |
| Project: | Core Server |
| Component/s: | Packaging |
| Affects Version/s: | None |
| Fix Version/s: | 3.0.8, 3.1.7 |
| Type: | Improvement | Priority: | Major - P3 |
| Reporter: | Marcin Zaj?czkowski | Assignee: | Ernie Hershey |
| Resolution: | Done | Votes: | 26 |
| Labels: | None | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||||||||||||||
| Backwards Compatibility: | Minor Change | ||||||||||||||||||||||||||||
| Backport Completed: | |||||||||||||||||||||||||||||
| Sprint: | BUILD 2 04/24/15, BUILD 4 06/05/15, Build 5 06/26/16, Build 6 07/17/15, Build 7 08/10/15, Build 8 08/31/15 | ||||||||||||||||||||||||||||
| Participants: | |||||||||||||||||||||||||||||
| Description |
|
Packages available from 10gen yum repository (and probably all provided packages) should be signed using a GPG/PGP key. It makes it harder to compromise a yum repository (it is not enough to just replace RPM in a repo). |
| Comments |
| Comment by Githook User [ 11/Dec/15 ] |
|
Author: {u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}Message: I accidentally swapped Community and Enterprise while merging the |
| Comment by Githook User [ 10/Dec/15 ] |
|
Author: {u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}Message: |
| Comment by Githook User [ 06/Dec/15 ] |
|
Author: {u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}Message:
(cherry picked from commit ed856e8865097d996894f50893b2be479c5644fc) |
| Comment by Tehmasp Chaudhri [ 17/Nov/15 ] |
|
@Ernie - can we please update the docs? I'm tracking this issue. I tried looking for a key on the repo.mongodb.com server but cannot find one for signed installation of packages for RHEL/CentOS. Thanks very much! |
| Comment by Ernie Hershey [ 13/Aug/15 ] |
|
We need to update the RPM installation docs for Community and Enterprise to include gpg verification and importing our public key. |
| Comment by Githook User [ 12/Aug/15 ] |
|
Author: {u'username': u'ehershey', u'name': u'Ernie Hershey', u'email': u'ernie.hershey@10gen.com'}Message:
|
| Comment by Jason Woods [ 11/May/15 ] |
|
Thanks ernie.hershey@10gen.com - good to see progress! Regarding documentation: I appreciate time constraints and other work might be the cause - but from a user perspective, I cannot see very much being more important than ensuring official downloads and package repositories are secure and we are educated correctly as to the risks. Looking forward to GPG packaging. |
| Comment by Ernie Hershey [ 23/Mar/15 ] |
|
I'm sorry this isn't in place yet. If it helps, all packages from 3.0 forward are available over SSL at https://repo.mongodb.org/. Additionally all binary tarballs are available over SSL at https://fastdl.mongodb.org/ - for example - https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.6.8.tgz. All binary tarballs from 2.6 forward are also signed with signatures available by appending .sig to the download URL - for example - https://fastdl.mongodb.org/linux/mongodb-linux-x86_64-2.6.8.tgz.sig. The public key is available at https://www.mongodb.org/static/pgp/server-2.6.asc. |
| Comment by Jarom Loveridge [ 21/Mar/15 ] |
|
I 100% agree with Jason Woods. The lack of a signature and providing the files over HTPP instead of HTTPS is a serious issue and needs to be rectified. This is a very serious security oversight from MongoDB and is even more unacceptable for their enterprise packages. These are paying customers who are being exposed to security risks due to an unacceptable lack of security from their database vendor. (We are one such customer.) |
| Comment by Jason Woods [ 19/Jan/15 ] |
|
It may also be beneficial to add a note to this ticket in the documentation next to the notice about unsigned packages and security implications. That will at least allow you to gather more accurate impact/exposure counts, as it will likely bring it more votes. |
| Comment by Jason Woods [ 19/Jan/15 ] |
|
ernie.hershey@10gen.com Any idea on when this may be implemented? I can see why there are small number of votes though. The official Mongo documentation explicitly tells the user to setup an inherently insecure package repository. I would advise that this documentation is updated to NOT do this. There is absolutely no warning there at all and WILL create a growing community of users who can be attacked via their mongodb repository, simply by DNS or other method of injecting malicious packages. Personally, I think the combination of unsigned packages, and endorsing unsigned packages in the documentation, should be treated with the utmost urgency. At the very least, the documentation updated to emphasis to users that this needs to be addressed in their security policies. Documentation here: http://docs.mongodb.org/manual/tutorial/install-mongodb-on-red-hat-centos-or-fedora-linux/ |
| Comment by Michele Perucic [ 26/Nov/14 ] |
|
Hi, |
| Comment by Ernie Hershey [ 26/Nov/14 ] |
|
jkramarz - thanks a lot for your interest in participating. The work that needs to be done to sign RPM packages is in internal processes so the most helpful participation at the moment is to voting for this ticket and commenting to let us know that it's important to you. |
| Comment by Jakub Kramarz [ 10/Nov/14 ] |
|
I've been deploying Spacewalk server for my company and ran into unsigned MongoDB packages problem. |
| Comment by Jason Woods [ 22/Aug/14 ] |
|
Any update on when this might happen? The repository URLs are HTTP too which renders the repository unusable in any security conscious environment. |