k6

Signature Verification DISABLED for RPM Packages

Hello,

I am trying to setup a RHEL server with k6. Looking at the instructions to install the rpm repo, the file it instructs users to install under /etc/yum.repos.d/ contains two lines:

gpgcheck=0
repo_gpgcheck=0

This disables signature verification of the RPM files and the yum repository metadata.

If I remove the lines (or change the value to 1), running yum install k6 fails with the error:

Package k6-v0.25.1-amd64.rpm is not signed

Is this not a security issue, especially when using a 3rd party service (Bintray) to distribute the packages? If Bintray is compromised, an attacker can upload a malicious k6 package and all the systems using the repo would install it without question.

Am I misunderstanding something here?

Thanks,
Steve

Ah, thanks for pointing this out! You are totally right, we should guard against that attack vector by signing our releases :disappointed: I’ve created a new GitHub issue for this task: https://github.com/loadimpact/k6/issues/1247

Thank you for the positive response! I’ll subscribe to that GitHub issue.

(I was expecting some pushback as I’ve gotten in the past with other various open-source projects).