rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Tue Aug 30 11:17:01 CEST 2016 

On Tue, Aug 30, 2016 at 03:24:02 -0400, Jeffrey Johnson wrote:

>> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
>> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
>> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
>> keepassx-2.0.2-2.x86_64
>> +++ exited with 0 +++
> 
> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup

Thanks, that did the trick - it interferes with my network-restricted
environment. I need all the verification to happen locally, and preferably
FAIL BADLY when not possible (i.e. no networked key-server available and no GPG pubkey imported).

Is there any macro/option that prevents me from installing any unsigned/unverified package?
Warning is not enough, I want to be totally sure the verification was done and succeeded.

> Use -vv to see signature verification (which is likely disabled w ???nosignature).
> 
> AFAIK, PLD has also reenabled the ???nosignature in ???system.h??? ??? the
> code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with MANDATORY signatures).
> 
> I will send that patch to PLD if you choose to continue supporting a ???nosignature option.

Apparently noone here uses this...

http://ftp.th.pld-linux.org/dists/th/PLD-3.0-Th-GPG-key.asc

~: rpm -qp --nosignature  keepassx-2.0.2-2.x86_64.rpm	(reversed meaning in query mode bug)
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found

~: rpm -K keepassx-2.0.2-2.x86_64.rpm             
keepassx-2.0.2-2.x86_64.rpm: (SHA1) DSA sha1 md5 NOT_OK

~: rpm -qa gpg-pubkey\*
gpg-pubkey-e4f1bc2d-47b351f0

~: diff PLD-3.0-Th-GPG-key.asc /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc 

(BTW this key is not automatically imported to rpm database).

-- 
Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list