rpm --nosignature reversed meaning

Jeffrey Johnson n3npq at me.com
Tue Aug 30 12:56:11 CEST 2016

> On Aug 30, 2016, at 6:44 AM, Tomasz Pala <gotar at polanet.pl> wrote:
> On Tue, Aug 30, 2016 at 06:30:24 -0400, Jeffrey Johnson wrote:
>>> But I believe the PLD-Th-GPG issue was discussed in spring 2015 on pld-devel.
>> This was the issue I was remembering:
>> 	http://pld-devel-en.pld-linux.narkive.com/ZssnN7t4/rpm-va-bad-key-id
>> That specific issue was resolved by disabling
>> signature verification during ???verify, largely
>> to avoid reimporting PLD-Th-GPG which was
>> ???unacceptable???.
> [...]
>> Meanwhile, many RSA issues were repaired between
>> rpm-5.4.14 and rpm-5.4.15.
>> So issues with RSA are ???expected???.
> The same problem, but completely wrong diagnosis.
> ~: rpm --import PLD-3.0-Th-GPG-keyRSA.asc
> ~: rpm --import PLD-3.0-Th-GPG-keyDSA.asc 
> ~: rpm -q gpg-pubkey
> gpg-pubkey-e4f1bc2d-47b351f0
> gpg-pubkey-eae6f8b8-47b35206
> That should be done when importing PLD-3.0-Th-GPG-key.asc - two distinct
> keys, DSA and RSA. As you see I split them manually and now it verifies
> correctly, so rpm simply can't handle properly multi-key import.

Yep: RPM has never handled subkeys nor concatenated armored pubkeys.

	Don’t do that!
(i.e. use separate imports for each pubkey instead) should suffice.

Traditionally RPM truncated a pubkey to only a single packet, but
now imports the entire set of packets which — if malformed —
will lead to some surprises.

Note that there are many malformed/misused pubkeys even on sky key servers:
its not clear how to filter blobs appropriately. WYSIWYG is as good as random
pruning. Diagnosis is far more difficult with actively filtered packets as well.

> Please stop guessing about my guessings, just do the commands.

Um, I’m not sure how an import into rpm-5.4.18 on El Capitan (what I have at hand)
has any relevance to a PLD issue. I don’t normally run PLD here.

73 de Jeff
> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list