rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Sat Sep 10 12:53:25 CEST 2016


On Sat, Sep 10, 2016 at 11:41:46 +0300, Elan Ruusamäe wrote:

>>> Since we got the answer for this issue - th-admin, please publish separate GPG files.
>> Are we announcing PLD being dead? Current DSA+RSA GPG key is unusable
>> for rpm, the one from FTP is being packaged, so it's also unusable.
>> Nobody cares?
> 
> and you really expecting th-admin picking up a task middle of huge 
> thread? you should had asked it from th-admin at pld-linux.org (or at least 
> cc:).

Indeed, forgot to do so.

> i don't bother understanding what this topic is about -- packages 
> install for me.

RPM doesn't support subkeys, but we do not provide separate DSA key. Easy to test:

1. disable using keyserver: %_hkp_keyserver %{nil}
2. import joined key we do provide:
rpm --import /etc/pki/rpm-gpg/PLD-3.0-Th-GPG-key.asc
3. try to verify any PLD package.

> but, i could upload the files if you make concrete request with details 
> what needs to be done,

GPG key that is being used for package signing needs to published (the
public part of course). Note the singular 'key', NOT plural 'keyS'. One
per file, if there are multiple keys used. Currently
ftp://ftp.pld-linux.org/dists/3.0/PLD-3.0-Th-GPG-key.asc provides two
(however I haven't seen any package signed by RSA one, AFAIR.)

> and do that in in separate mailing thread (new thread), or even better 
> open new ticket at bugs.pld-linux.org

I already did my job. If nobody notices nor cares this, well, we might
safely assure that PLD is dead.


There was also second part of this thread, the one that concludes with
'PLD-provided rpm is broken'. If somebody messed with rpm signature
verification bits in PLD, he REALLY SHOULD read this thread. Otherwise
we might as well assume that PLD is dead (since nobody cares about the
most crucial part of infrastructure).

Moreover, I don't see any reason to break this thread into separate one
- the subject is appropriate from the very beginning, and this (in
rpm-part at least, not th-admin request) is not some middle point of
discussion, but END OF THREAD. Everything that was to be discussed is
settled now, the only thing left to do is finding the patch that breaks
our rpm and reverting it. Since nobody playing with rpm did this, my
GUESS is, that:

rpm-5.4.9-support-signatures-and-digest-disablers.patch

is not enough/complete. And I've just found this (some 'triple negation' issues), as recently noted in
http://rpm5.org/community/rpm-devel/5655.html

Jeff, this seems to BE the case - verification is reverted only for
--query mode, --verify mode works as expected.

We might simply test this:

https://patchwork.openembedded.org/patch/126825/raw/

-- 
Tomasz Pala <gotar at pld-linux.org>


More information about the pld-devel-en mailing list