> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <g...@pld-linux.org> wrote: > > On 12.02.2015 19:55, Jeffrey Johnson wrote: >> OK. So you have a workaround (by disabling header signature verification) >> for -Va for the moment. >> and also have an alternative means to verify header signatures using a shell >> loop. > i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so > you're saying that (with my current package patch) header verification is > disabled for both? (as no header verification errors are printed). >
They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated with pubkey retrieval to minimize network/rpmdb access. Yes the patch disables header signature verification for both rpm -V and rpm -Va. >> You should also convince yourself that header signatures are verified when >> installing a package: >> >> rpm -Uvv somepackage*.rpm > but rpm -Uhv $pkg.rpm does not emit header errors. or the extra -v is needed > to see them? The extra -v is needed to see the 3 lines I gave you, —nosignatures/—nodigests disables verification. You know this ;-) > and does my patch that i applied disables it or you are talking about current > state of pld package (where the patch is applied)? > I gave you a means to verify that RSA for your existing Th pubkey isn’t broken (as you have been claiming). Every installed package has had the header signature verified. The patch I gave you disables verification as a work around until I can find a reproducer for whatever the issue is and “fix”. 73 de Jeff > -- > glen > > _______________________________________________ > pld-devel-en mailing list > pld-devel-en@lists.pld-linux.org > http://lists.pld-linux.org/mailman/listinfo/pld-devel-en _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en