rpm -Va BAD, key ID

Jeffrey Johnson n3npq at me.com
Fri Feb 13 16:06:36 CET 2015

> On Feb 13, 2015, at 3:17 AM, Elan Ruusamäe <glen at pld-linux.org> wrote:
> On 12.02.2015 19:55, Jeffrey Johnson wrote:
>> OK. So you have a workaround (by disabling header signature verification) for -Va for the moment.
>> and also have an alternative means to verify header signatures using a shell loop.
> i'm surprised that rpm -Va and rpm -V $pkgname use different codepath. so you're saying that (with my current package patch) header verification is disabled for both? (as no header verification errors are printed).

They (rpm -Va and rpm -V) don’t use different code paths: there is hidden state associated
with pubkey retrieval to minimize network/rpmdb access.

Yes the patch disables header signature verification for both rpm -V and rpm -Va.

>> You should also convince yourself that header signatures are verified when installing a package:
>> 	rpm -Uvv somepackage*.rpm
> but rpm -Uhv $pkg.rpm does not emit header errors. or the extra -v is needed to see them?

The extra -v is needed to see the 3 lines I gave you, —nosignatures/—nodigests disables
verification. You know this ;-)

> and does my patch that i applied disables it or you are talking about current state of pld package (where the patch is applied)?

I gave you a means to verify that RSA for your existing Th pubkey isn’t broken (as
you have been claiming).

Every installed package has had the header signature verified. The patch I gave you
disables verification as a work around until I can find a reproducer for whatever the
issue is and “fix”.

73 de Jeff
> -- 
> glen
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list