rpm --nosignature reversed meaning

Jeffrey Johnson n3npq at me.com
Sun Sep 11 05:22:39 CEST 2016

> On Sep 10, 2016, at 2:32 PM, Tomasz Pala <gotar at polanet.pl> wrote:
> On Sat, Sep 10, 2016 at 09:46:17 -0400, Jeffrey Johnson wrote:
>>>> is not enough/complete. And I've just found this (some 'triple negation' issues), as recently noted in
>>>> http://rpm5.org/community/rpm-devel/5655.html
>>>> Jeff, this seems to BE the case - verification is reverted only for
>>>> --query mode, --verify mode works as expected.
> [...]
>> What was the fix?
>> AFAIK, the problem was concatenating both an armored RSA and a DSA pubkey in the same file.
>> Separate files (or separate "rpm ???import 0x?????? by keyid using hkp://) are ???fixes???.
> The patch from the rpm-devel maillist above fixed --nosignature working
> the opposite way as expected, i.e. veryfying signature with
> --nosignature option given and NOT veryfying it by default in --query
> mode. And it does not break proper behaviour in --verify mode.

Thanks for the pointer.

Yes, the behavior is (likely, not personally verified, just from memory) reversed.

I’f still claim that reversing the sense of the tests isn’t the right patch: the
root cause is a change in the default setting of the bit(s) that control
signature checking.

The better patch (headed toward elimination of —no signature disablers)
is to wrap the tests on the —query path with


and then rip out the —nosignature option entirely.

Feel free to patch rpm to do whatever you wish when I rip out —nosignature/—nodigest
disablers. KISS determinism (if that can be applied to *.rpm signature verification) is
far easier to maintain/support.

73 de Jeff

> -- 
> Tomasz Pala <gotar at pld-linux.org>
> _______________________________________________
> pld-devel-en mailing list
> pld-devel-en at lists.pld-linux.org
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en

More information about the pld-devel-en mailing list