Re: rpm --nosignature reversed meaning

Tue, 30 Aug 2016 02:17:48 -0700 

On Tue, Aug 30, 2016 at 03:24:02 -0400, Jeffrey Johnson wrote:

>> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
>> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 
>> 2048, 0, {sa_family=AF_INET, sin_port=htons(53), 
>> sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
>> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 
>> 65536, 0, {sa_family=AF_INET, sin_port=htons(53), 
>> sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
>> keepassx-2.0.2-2.x86_64
>> +++ exited with 0 +++
> 
> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to 
> disable the lookup

Thanks, that did the trick - it interferes with my network-restricted
environment. I need all the verification to happen locally, and preferably
FAIL BADLY when not possible (i.e. no networked key-server available and no GPG 
pubkey imported).

Is there any macro/option that prevents me from installing any 
unsigned/unverified package?
Warning is not enough, I want to be totally sure the verification was done and 
succeeded.

> Use -vv to see signature verification (which is likely disabled w 
> ???nosignature).
> 
> AFAIK, PLD has also reenabled the ???nosignature in ???system.h??? ??? the
> code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with 
> MANDATORY signatures).
> 
> I will send that patch to PLD if you choose to continue supporting a 
> ???nosignature option.

Apparently noone here uses this...

http://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc

~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm   (reversed meaning in 
query mode bug)
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID 
e4f1bc2d
error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters 
found

~: rpm -K keepassx-2.0.2-2.x86_64.rpm             
keepassx-2.0.2-2.x86_64.rpm: (SHA1) DSA sha1 md5 NOT_OK

~: rpm -qa gpg-pubkey\*
gpg-pubkey-e4f1bc2d-47b351f0

~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 

(BTW this key is not automatically imported to rpm database).

-- 
Tomasz Pala <go...@pld-linux.org>
_______________________________________________
pld-devel-en mailing list
pld-devel-en@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

Reply via email to