Skip to content

Enforce GPG verification across multiple distros (Fixes #963) #964

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
stgraber merged 1 commit into from
Jan 7, 2026
Merged

Enforce GPG verification across multiple distros (Fixes #963) #964

stgraber merged 1 commit into from
Jan 7, 2026

Conversation

@chaosoffire
Copy link
Contributor

@chaosoffire chaosoffire commented Jan 7, 2026
edited
Loading

Description

This PR standardizes and enforces GPG verification requirements across multiple supported distributions. The primary change is the introduction of a validateGPGRequirements helper in common.go, which implements the following logic requested in #963:

  • HTTP: A GPG keyring is now strictly required. If a GPG keyring is not specified/available, the build will fail early.
  • HTTPS: If a GPG keyring is specified, it is used. If not, the download proceeds with a warning, leveraging the transport layer security of HTTPS but alerting the user to the lack of correct signature verification.
  • Explicit Keys: If keys are defined in the source definition, verification is always enforced, regardless of the protocol.

This logic has been applied to almalinux, alpine, archlinux, centos, funtoo, gentoo, rocky, ubuntu, and voidlinux sources.

Specific security fixes included:

  • Rocky Linux: Fixed an issue where the CHECKSUM file was downloaded but not verified against its signature.
  • CentOS: Fixed an issue where 'SHA256SUM' and 'CHECKSUM' files were downloaded but not GPG verified.
  • Gentoo: The portage snapshot download now correctly re-parses the URL and calls validateGPGRequirements, ensuring GPG checks are enforced unless explicitly skipped.

Unit tests for validateGPGRequirements have been added in common_test.go.

Fixes #963

Verification

  • Scenario 1: Any protocol with keys — GPG verification is always performed, regardless of skip_verification setting.
  • Scenario 2: HTTP without keys — Build fails with an error requiring GPG keys.
  • Scenario 3: HTTPS without keys and skip_verification equals false — Build proceeds with a warning about missing GPG verification.

@chaosoffire
sources: enforce GPG verification across multiple distros
64b60db 
This commit introduces a centralized GPG verification requirement logic
in `sources/common.go` via the `validateGPGRequirements` method.
It ensures consistent security constraints across multiple supported distributions.

Specific security fixes included:
- Rocky Linux: Fixed an issue where the `CHECKSUM` file was downloaded but not GPG verified.
- CentOS: Fixed an issue where 'SHA256SUM' and 'CHECKSUM' files were downloaded but not GPG verified.
- Gentoo: Added GPG requirement validation for the portage snapshot download URL.

Fixes: lxc#963
Signed-off-by: Chaosoffire <[email protected]>
@stgraber stgraber merged commit 5c63598 into lxc:main Jan 7, 2026
6 of 8 checks passed
@stgraber
Copy link
Member

stgraber commented Jan 7, 2026

Thanks!

@chaosoffire chaosoffire deleted the fix-2 branch January 8, 2026 00:39
@stgraber
Copy link
Member

stgraber commented Jan 10, 2026

@chaosoffire unfortunately this change broke:

Actually, most of our image builds started breaking, but the majority were because of outdated GPG keyrings on our side, so that's fine, I fixed those, but the three above appear to be generally broken (looking for non-existing files).

@chaosoffire
Copy link
Contributor Author

chaosoffire commented Jan 10, 2026

@stgraber Thanks for checking the issues. I'll check the logs for the error and open a follow-up pr shortly.

@chaosoffire chaosoffire mentioned this pull request Jan 10, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HTTPS downloads skip GPG/checksum verification even when SkipVerification is false

2 participants

@chaosoffire @stgraber