Users login

Create an account »


Users login

Home » Hacking News » Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

Red Hat 7.2 GnuPG signed RPM verification fails on distribution files

by Majik on October 24th, 2001 History of advisory:
Oct 23, 2001 While downloading Red Hat 7.2 Kurt Seifried noticed
various packages were not GnuPG signed.


Red Hat 7.2 distribution files on popular ftp sites such as and are not signed. It is

unlikely that this is an attack as the number of sites involved makes

it likely someone would have noticed and notified the community.

Either Red Hat did not sign these packages, or someone subverted the

distribution process before the files got to various sites. For Red

Hat 7.1 please note that all files were correctly signed with the Red

Hat GnuPG security key.


An attacker can create RPM's that will not appear any different from

the real ones, as they do not need to be signed. Finding the MD5 sums

of the files in trusted locations is very difficult (I cannot find

any lists).


Red Hat has released Red Hat 7.2, a much anticipated release.

Typically all the rpm distribution files are signed, making it very

easy to verify their correctness. Since numerous packages are not

signed it becomes trivial for an attacker to replace packages on a

distribution site with no-one being able to easily verify that they

have been subverted. An attacker would not even need to modify or add

files to the package, instead they could add a preinstall,

postinstall, preuninstall or postuninstall script that would be

capable of compromising the system since these scripts run with root

privileges. Packages include rpmdb-redhat and redhat-release.

Solutions and workarounds:

None available. Red Hat needs to sign the packages properly with


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.


Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »