diff -up yum-3.4.3/docs/yum.conf.5.orig yum-3.4.3/docs/yum.conf.5 --- yum-3.4.3/docs/yum.conf.5.orig 2017-10-26 11:13:52.013324456 +0200 +++ yum-3.4.3/docs/yum.conf.5 2017-10-26 11:15:37.733858789 +0200 @@ -106,28 +106,34 @@ default for all repositories. The defaul .IP \fBpayload_gpgcheck\fR -Either `1' or `0'. This tells yum whether or not it should also perform a GPG -signature check on the payload (part of a package holding the actual files that -comprise the package). - -By default, yum only performs GPG signature checks on package headers. -Thus, if the payload data has been tampered with or corrupted, yum will fail in -the middle of the transaction due to an RPM unpacking error, after some -unverified scriptlets might have already run, and possibly leave the package in -question partly installed. - -To prevent all of that, you can enable this option to extend the signature -check to also include the payload, so that yum can avoid running the -transaction in case of payload corruption. -This slightly improves security, however at the expense of significantly -increased transaction time, so you may want to only use this option when -package corruption is a concern. +Either `1' or `0'. This tells yum whether or not it should perform a v3 +signature check on packages when \fBgpgcheck\fR (or \fBlocalpkg_gpgcheck\fR for +local packages) is enabled. + +There are two types of GPG signatures generated by rpm: v3 (on header+payload) +and v4 (on header only). When rpm signs a package, it creates both types. Yum +can verify any of them before the transaction, depending on which options are +set. When \fBgpgcheck\fR is enabled and this option is disabled, yum will +verify v4 signatures only. When both \fBgpgcheck\fR and this option are +enabled, yum will verify both v4 and v3 signatures (equivalent to running "rpm +\-\-checksig"). The same rules apply to local packages and the +\fBlocalpkg_gpgcheck\fR option accordingly. + +Since the header contains sha256 digests of individual files in the payload (a +gzip-compressed cpio archive of files used in the package), verifying the +header signature (v4) is sufficient to ensure authenticity and integrity of the +whole package. After rpm unpacks the payload, it moves the files to their +destination paths one by one after they pass the digest check. If a file +doesn't pass, it won't be moved and the transaction will abort. However, +because no rollback is done in such a case, the package may end up in the +partially installed state. + +By verifying v3 signatures, yum will detect payload tamper before the +transaction. While this will slightly increase processing time for big +transactions and/or packages, it will prevent such broken installs and enhance +security. -For this option to have effect, make sure to also enable gpgcheck (or -localpkg_gpgcheck for local packages). - -When this option is set in the [main] section it sets the default for all -repositories. The default is `0'. +The default is `0'. .IP \fBskip_broken\fR diff -up yum-3.4.3/rpmUtils/miscutils.py.orig yum-3.4.3/rpmUtils/miscutils.py --- yum-3.4.3/rpmUtils/miscutils.py.orig 2017-10-26 11:13:49.637334921 +0200 +++ yum-3.4.3/rpmUtils/miscutils.py 2017-10-26 11:15:43.141834969 +0200 @@ -61,8 +61,8 @@ def compareVerOnly(v1, v2): def checkSig(ts, package, payload=False): """Takes a transaction set and a package, check it's sigs. - By default, only RPMv4 sigs (header-only) will be verified (faster). By - setting payload to True, RPMv3 sigs (header+payload) will also be verified + By default, only v4 sigs (header-only) will be verified (faster). By + setting payload to True, v3 sigs (header+payload) will also be verified (slower). return 0 if they are all fine