On Tue, Jan 20, 2026 at 4:48 AM Petr Menšík <[email protected]> wrote:
>
> On 19/01/2026 22:46, Neal Gompa wrote:
> > On Mon, Jan 19, 2026 at 4:14 PM Petr Menšík <[email protected]> wrote:
> >> On 19/01/2026 14:57, Neal Gompa wrote:
> >>> The easier thing to do would be to update redhat-rpm-config in RHEL,
> >>> not do weird things to the gnupg2 package.
> >> Can you make example, what change in redhat-rpm-config in RHEL would
> >> help? I want to have my rawhide branch spec file with latest version
> >> built on CentOS 10, for example.
> >>
> >> redhat-rpm-config on that version already provides %gpgverify macro, but
> >> expects gnupg2 is in BuildRequires: of the spec. gpgv2 symlink to gpgv
> >> is used by the shell script packaged in redhat-rpm-config.
> >>
> >> I think we do not need changes to %gpgverify script, but in
> >> BuildRequires. That never was in a form of macro and then cannot be
> >> changed by macro definition.
> >>
> >> Adding alias to gnupg2 package will ensure shell script in
> >> /usr/lib/rpm/redhat/gpgverify can find gpgv2 even with BuildRequires:
> >> gpgverify, according to latest Packaging guidelines. We do not have
> >> separate guidelines for RHEL and look into Fedora's often.
> >>
> >> This should be the most minimal way possible, improving the current
> >> situation. Of course adding gpgverify to RHEL itself is a better
> >> variant, but I would not call it minimal in that case.
> >>
> > The easiest thing would be to subpackage it and then use conditional
> > dependencies to drag it in properly for older packages.
> >
> > Then when RHEL 11 rolls around, the subpackage is cleanly replaced
> > with the fully separate package.
> >
> Subpackage of what package, please? Should we make it subpackage of
> redhat-rpm-config only? That is where the code now resides. That is
> certainly possible, subpackage could even have separate version of the
> verification script.
>
That's what I'm saying. Subpackage it in redhat-rpm-config, move the
script there, add the necessary deps to pull it in for older packages
in RHEL, etc.
> It consists of 2 parts in 2 separate packages on CentOS 10 and 9.
> redhat-rpm-config contains the shell wrapper checking separately:
>
> 1) the keyring is valid PGP keyring and contains valid keys.
> 2) the signature is valid is verified by the keyring only, imported into
> temporary directory.
>
> Then gnupg2 is separate package, with a separate gnupg2-verify
> subpackage. That provides gpgv{,2} commands and is required in CentOS
> for sources verification too. Both are needed in the old variant,
> present on CentOS. Could be instead gpgv and sqv modified to return
> different exit code for wrong keyring and different for wrong signature.
> That should be enough IMO. That wrapper could be used to implement
> either gnupg2 or sqv based verification by the same script, but is a
> tiny wrapper around real native code.
>
> Conditional dependencies are not necessary if the gnupg2 package can
> provide gpgverify symbol too. That is easier to debug and understand. I
> prefer it as a minimal and sufficient way. Of course it does not add
> multiple keyrings functionality, which I should have used in Unbound if
> I knew it was possible.
>
The whole *point* is to avoid that.
--
真実はいつも一つ!/ Always, there's only one truth!
--
_______________________________________________
devel mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
