rpm --nosignature reversed meaning
Jeffrey Johnson
n3npq at me.com
Tue Aug 30 09:24:02 CEST 2016
> On Aug 29, 2016, at 6:53 PM, Tomasz Pala <gotar at polanet.pl> wrote:
>
> Should this work this way? Is it upstream bug or PLD-specific? How about RH-rpm?
>
I need more info if you think its an RPM bug.
The implementations in RH-rpm and RPM5 are significantly different.
For starters, RPM5 abandoned header+payload signatures, which
started to be phased out in RHEL3 more than a decade ago.
RPM5 also verifies self-certification signatures on pubkeys, permits
ECDSA, and more, that RH-rpm does not attempt.
>
> ~: strace -erecvfrom rpm -qp keepassx-2.0.2-2.x86_64.rpm
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++
>
>
> ~: strace -erecvfrom rpm --nosignature -qp keepassx-2.0.2-2.x86_64.rpm
> recvfrom(12, "\25\24\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 2048, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 124
> recvfrom(12, "\"\27\201\200\0\1\0\5\0\0\0\0\2ha\4pool\16sks-keyserv"..., 65536, 0, {sa_family=AF_INET, sin_port=htons(53), sin_addr=inet_addr("8.8.4.4")}, [16]) = 184
> keepassx-2.0.2-2.x86_64
> +++ exited with 0 +++
>
The 2 line snippet looks like a pubkey lookup: undefine %_hkp_keyserver to disable the lookup
Use -vv to see signature verification (which is likely disabled w —nosignature).
AFAIK, PLD has also reenabled the —nosignature in “system.h” … the
code will be removed in rpm-5.4.18 (and rpm-5.4.17 was distributed with MANDATORY signatures).
I will send that patch to PLD if you choose to continue supporting a —nosignature option.
hth
73 de Jeff
More information about the pld-devel-en
mailing list