On 19/01/2026 22:46, Neal Gompa wrote:
On Mon, Jan 19, 2026 at 4:14 PM Petr Menšík <[email protected]> wrote:
On 19/01/2026 14:57, Neal Gompa wrote:
The easier thing to do would be to update redhat-rpm-config in RHEL,
not do weird things to the gnupg2 package.
Can you make example, what change in redhat-rpm-config in RHEL would
help? I want to have my rawhide branch spec file with latest version
built on CentOS 10, for example.
redhat-rpm-config on that version already provides %gpgverify macro, but
expects gnupg2 is in BuildRequires: of the spec. gpgv2 symlink to gpgv
is used by the shell script packaged in redhat-rpm-config.
I think we do not need changes to %gpgverify script, but in
BuildRequires. That never was in a form of macro and then cannot be
changed by macro definition.
Adding alias to gnupg2 package will ensure shell script in
/usr/lib/rpm/redhat/gpgverify can find gpgv2 even with BuildRequires:
gpgverify, according to latest Packaging guidelines. We do not have
separate guidelines for RHEL and look into Fedora's often.
This should be the most minimal way possible, improving the current
situation. Of course adding gpgverify to RHEL itself is a better
variant, but I would not call it minimal in that case.
The easiest thing would be to subpackage it and then use conditional
dependencies to drag it in properly for older packages.
Then when RHEL 11 rolls around, the subpackage is cleanly replaced
with the fully separate package.
Subpackage of what package, please? Should we make it subpackage of
redhat-rpm-config only? That is where the code now resides. That is
certainly possible, subpackage could even have separate version of the
verification script.
It consists of 2 parts in 2 separate packages on CentOS 10 and 9.
redhat-rpm-config contains the shell wrapper checking separately:
1) the keyring is valid PGP keyring and contains valid keys.
2) the signature is valid is verified by the keyring only, imported into
temporary directory.
Then gnupg2 is separate package, with a separate gnupg2-verify
subpackage. That provides gpgv{,2} commands and is required in CentOS
for sources verification too. Both are needed in the old variant,
present on CentOS. Could be instead gpgv and sqv modified to return
different exit code for wrong keyring and different for wrong signature.
That should be enough IMO. That wrapper could be used to implement
either gnupg2 or sqv based verification by the same script, but is a
tiny wrapper around real native code.
Conditional dependencies are not necessary if the gnupg2 package can
provide gpgverify symbol too. That is easier to debug and understand. I
prefer it as a minimal and sufficient way. Of course it does not add
multiple keyrings functionality, which I should have used in Unbound if
I knew it was possible.
The reason for a separate shell script is the need to delete temporary
directory created, IMO. Ideally that should not be necessary and
whatever verification tools should be able to use keyrings as they are
passed in command line.
eln branch already has gpgverify and I expect that automatically means
it will be added into RHEL 11. Unless it changes in the mean time. I
expect RHEL crypto team would prefer to use sequoia based verification
instead of gpg in RHEL 11.
Cheers,
Petr
--
Petr Menšík
Senior Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
