Signature Verification DISABLED for RPM Packages

Hello,

I am trying to setup a RHEL server with k6. Looking at the instructions to install the rpm repo, the file it instructs users to install under /etc/yum.repos.d/ contains two lines:

gpgcheck=0
repo_gpgcheck=0

This disables signature verification of the RPM files and the yum repository metadata.

If I remove the lines (or change the value to 1), running yum install k6 fails with the error:

Package k6-v0.25.1-amd64.rpm is not signed

Is this not a security issue, especially when using a 3rd party service (Bintray) to distribute the packages? If Bintray is compromised, an attacker can upload a malicious k6 package and all the systems using the repo would install it without question.

Am I misunderstanding something here?

Thanks,
Steve

Ah, thanks for pointing this out! You are totally right, we should guard against that attack vector by signing our releases :disappointed: I’ve created a new GitHub issue for this task: Improve security and automation of official binary releases · Issue #1247 · grafana/k6 · GitHub

Thank you for the positive response! I’ll subscribe to that GitHub issue.

(I was expecting some pushback as I’ve gotten in the past with other various open-source projects).

Hi there, this is a bit of an old thread, but just to let you know that RPM packages are now signed with our own GPG key, and gpgcheck is enabled for the repo. See the updated installation instructions.

We missed signing of the repo metadata, so repo_gpgcheck is still disabled, but we’ll make that happen soon as well. Now that we have control over the repositories it shouldn’t take us a year. :slight_smile:

Slight correction: we decided to not sign repo metadata and leave repo_gpgcheck disabled since it’s known to cause issues, and is not enabled even on main Fedora repositories.