Written: 2018-05-23 (Jaruga)
Dandified YUM (or 'DNF') is a package manager for rpm-based distributions that is utilises core libraries (or 'repositories') to facilitate the installation and removal of software. DNF is a modernised version of YUM that was introduced in Fedora 18, and has been the default package manager since Fedora 22. While it already includes mechanisms for guaranteeing the authenticity of the packages you download, an adversary sniffing your network traffic can still see what software you are installing. This is where Tor comes in.
Torifying all repositories
Like lots of open-source software, DNF is controlled by a configuration file. Adding Tor as a Socks5 proxy will allow the system to safely fetch packages over the network.
- First and foremost, make sure you have Tor installed and currently running.
- Open up
/etc/dnf/dnf.confin your favourite text editor. (must be root or have sudo privileges)
- Add the following line
proxy=socks5://127.0.0.1:9050to the bottom. Save and exit.
- Run the command
sudo dnf updateto ensure DNF is able to connect.
You should now be successfully fetching packages and updates from your distributions repositories via the Tor network.
Torifying individual repositories
You can also add individual connection profiles for each repository in your source file. To perform this, simply add the following lines to
name=my-repository baseurl=https://github.com/myrepository enabled=1 gpgcheck=1 gpgkey=https://mysite.com/public_signing_key.pub proxy=socks5://127.0.0.1:9050
Please note it is very important to ensure
gpgcheck is always present and set to '1'. Failing to do this will permit your system to download packages from unauthenticated sources, and be left wide open to MitM attacks!