rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Tue Aug 30 11:38:07 CEST 2016 

On Tue, Aug 30, 2016 at 11:17:01 +0200, Tomasz Pala wrote:

>> The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup
> 
> Thanks, that did the trick - it interferes with my network-restricted
> environment. I need all the verification to happen locally, and preferably
> FAIL BADLY when not possible (i.e. no networked key-server available and no GPG pubkey imported).
> 
> Is there any macro/option that prevents me from installing any unsigned/unverified package?
> Warning is not enough, I want to be totally sure the verification was done and succeeded.

OK, we have a problem here... After disabling %_hkp_keyserver it works
as expected (BUT reversed!):

~: rpm -ivh --test --nosignature keepassx-2.0.2-2.x86_64.rpm
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d
error: reading keepassx-2.0.2-2.x86_64.rpm manifest, non-printable characters found

~: rpm -ivh --test keepassx-2.0.2-2.x86_64.rpm              
Preparing...                ########################################### [100%]
error: Install/Erase problems:
        package keepassx-2.0.2-2.x86_64 is already installed


The question is: why didn't this worked like this before importing GPG key?

~: rpm -qpvv --nosignature keepassx-2.0.2-2.x86_64.rpm
[...]
D: pool u:      created size 288 limit -1 flags 0
D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   UID: DSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: ========== DSA pubkey id af3f93bc e4f1bc2d (keyserver)
D: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: OK, key ID e4f1bc2d

How is that possible? Using keyserver - OK, using imported key - BAD:

D:   PUB: AF3F93BC E4F1BC2D V4 DSA
D:   SIG: AF3F93BC E4F1BC2D V4 DSA-SHA1 POSITIVE
D:   PUB: 732FDFDE EAE6F8B8 V4 RSA
D:   SIG: 732FDFDE EAE6F8B8 V4 RSA-SHA1 POSITIVE
D:   UID: RSApub (PLD Linux Distribution 3.0 (Th)) <th-admin at pld-linux.org>
D: ========== DSA pubkey id af3f93bc e4f1bc2d (h#968[0])
error: keepassx-2.0.2-2.x86_64.rpm: Header V4 DSA signature: BAD, key ID e4f1bc2d

Am I simply wrong, or is it the same DSA key signature with different results?

-- 
Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list