And then, if I replace the LVFS key in fwupd-metadata with another (e.g. RPM-GPG-KEY-rpmfusion-nonfree-fedora-25) and restart the daemon:
11:21:24 Adding public key /etc/pki/fwupd-metadata/RPM-GPG-KEY-rpmfusion-nonfree-fedora-25
11:21:24 importing key DD7525B6184B0512AA8CB1002E59159B96CA6280 [0] Success
11:21:24 Using signature fingerprint 3FC6B804410ED0840D8F2F9748A6D80E4538BAC2
So it is somewhat confusing that we're still using the "removed" LVFS key for verification success. I suppose it's a bug we're using the default persistent store (of root), which I supposed could be fixed using gpgme_ctx_set_engine_info() and setting the homedir to something like /usr/lib/fwupd -- although this might not be expected if you want to just import a key as a root user and then expect it just to work with fwupd.
So, certainly not a CVE, but somewhat non-obvious. I'd be open to changing the keyring to be fwupd-specific (and adding docs) if this would make things more obvious, although I'd have to check with the Red Hat security team again before doing so.
As for changing /tmp/firmware.xml.gz.asc I'm not exactly sure what you mean; there is of course no inotify watch there. We download the files and then open them, sending the file descriptors to the daemon rather than as a filename or data blob. The download check is being done on the large firmware files themselves, using the data from the metadata, so I'm a little confused what you're trying to do. If you want to test corrupting the metadata or signing files the best way to do this would be to edit fu-util.c and modify the data before it gets squirted to the daemon as a pair of file descriptors.
Yes, also further to Mario's comment (you do need to restart the daemon) you also need to clear the persistent gpg2 keyring. I perhaps wasn't clear we also using the persistent keyring store -- using commit https:/ /github. com/hughsie/ fwupd/commit/ e4141f4f234d258 424020069dadf8d f39848a119 I see (using the defaults):
11:14:53 importing key 3FC6B804410ED08 40D8F2F9748A6D8 0E4538BAC2 [0] Success 40D8F2F9748A6D8 0E4538BAC2
11:14:53 Using signature fingerprint 3FC6B804410ED08
And then, if I replace the LVFS key in fwupd-metadata with another (e.g. RPM-GPG- KEY-rpmfusion- nonfree- fedora- 25) and restart the daemon:
11:21:24 Adding public key /etc/pki/ fwupd-metadata/ RPM-GPG- KEY-rpmfusion- nonfree- fedora- 25 2AA8CB1002E5915 9B96CA6280 [0] Success 40D8F2F9748A6D8 0E4538BAC2
11:21:24 importing key DD7525B6184B051
11:21:24 Using signature fingerprint 3FC6B804410ED08
So it is somewhat confusing that we're still using the "removed" LVFS key for verification success. I suppose it's a bug we're using the default persistent store (of root), which I supposed could be fixed using gpgme_ctx_ set_engine_ info() and setting the homedir to something like /usr/lib/fwupd -- although this might not be expected if you want to just import a key as a root user and then expect it just to work with fwupd.
So, certainly not a CVE, but somewhat non-obvious. I'd be open to changing the keyring to be fwupd-specific (and adding docs) if this would make things more obvious, although I'd have to check with the Red Hat security team again before doing so.
As for changing /tmp/firmware. xml.gz. asc I'm not exactly sure what you mean; there is of course no inotify watch there. We download the files and then open them, sending the file descriptors to the daemon rather than as a filename or data blob. The download check is being done on the large firmware files themselves, using the data from the metadata, so I'm a little confused what you're trying to do. If you want to test corrupting the metadata or signing files the best way to do this would be to edit fu-util.c and modify the data before it gets squirted to the daemon as a pair of file descriptors.