Re: rpm --nosignature reversed meaning

Tue, 30 Aug 2016 03:57:31 -0700 

> On Aug 30, 2016, at 6:44 AM, Tomasz Pala <go...@polanet.pl> wrote:
> 
> On Tue, Aug 30, 2016 at 06:30:24 -0400, Jeffrey Johnson wrote:
> 
>>> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on 
>>> pld-devel.
>> 
>> This was the issue I was remembering:
>> 
>>      http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
>> 
>> That specific issue was resolved by disabling
>> signature verification during ???verify, largely
>> to avoid reimporting PLD-Th-GPG which was
>> ???unacceptable???.
> [...]
>> Meanwhile, many RSA issues were repaired between
>> rpm-5.4.14 and rpm-5.4.15.
>> 
>> So issues with RSA are ???expected???.
> 
> The same problem, but completely wrong diagnosis.
> 
> ~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
> ~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
> ~: rpm -q gpg-pubkey
> gpg-pubkey-e4f1bc2d-47b351f0
> gpg-pubkey-eae6f8b8-47b35206
> 
> That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
> keys, DSA and RSA. As you see I split them manually and now it verifies
> correctly, so rpm simply can't handle properly multi-key import.
> 

Yep: RPM has never handled subkeys nor concatenated armored pubkeys.

So
        Don’t do that!
(i.e. use separate imports for each pubkey instead) should suffice.

(aside)
Traditionally RPM truncated a pubkey to only a single packet, but
now imports the entire set of packets which — if malformed —
will lead to some surprises.

Note that there are many malformed/misused pubkeys even on sky key servers:
its not clear how to filter blobs appropriately. WYSIWYG is as good as random
pruning. Diagnosis is far more difficult with actively filtered packets as well.

> Please stop guessing about my guessings, just do the commands.
> 

Um, I’m not sure how an import into rpm-5.4.18 on El Capitan (what I have at 
hand)
has any relevance to a PLD issue. I don’t normally run PLD here.

73 de Jeff
> -- 
> Tomasz Pala <go...@pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en@lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

_______________________________________________
pld-devel-en mailing list
pld-devel-en@lists.pld-linux.org
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

Reply via email to