Force RPM to check GPG key

George Machitidze giomac at gmail.com
Tue Apr 17 14:05:15 UTC 2012 

Thanks Greg!

I've added macro file in /etc/rpm and rpm has taken values for vsflags, but
still, it has no effect on installation or upgrades or anything, tried
0x00000 and 0xf0000.

Found definitions in here:

http://rpm5.org/community/rpm-users/0463.html

[root at srv rpm]# rpm --showrc|grep -i vs
-14: __vsflags  0xf0000
-14: _vsflags_build     %{__vsflags}
-14: _vsflags_erase     0x00000
-14: _vsflags_install   0x00000
-14: _vsflags_query     %{__vsflags}
-14: _vsflags_rebuilddb %{__vsflags}
-14: _vsflags_up2date   %{__vsflags}
-14: _vsflags_verify    %{__vsflags}

No luck :|

Best regards,
George Machitidze


On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com> wrote:

> I figured that would be the case.
>
> JJ just told me that --checksig only gets run separate from --install,
> which seemed kinda silly to me until he pointed out that this is
> because rpm is configuredby default  to check headers+payload against
> signature if possible.
>
> So by default it is supposedly doing this already, it is just an 'if
> possible' scenario.  So if you don't have a key to verify against it
> just moves forward, would be my understanding.
>
> I did look in `rpm --showrc` for any value that might seem to force
> this but was unable to locate one (I didn't look at each value, just
> tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
> and in there I found vsflags.   The default value is 0xf0000 which
> means if set, check header+payload (if possible).  If you look in this
> file you can see the options and if you have a better config you can
> set it in a macro file over in /etc/rpm.  Would have been nice if the
> variable name was a bit more descriptive for the sake of grep but such
> is life i guess.
>
> -greg
>
> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com> wrote:
> > Thanks
> >
> > I need to have this option by default without adding command line option
> to
> > rpm. yum is checking for GPG key by default in case gpgcheck is not set
> to
> > 0.
> > Maybe it's possible through rpmrc, but I couldn't find option for that.
> >
> > Best regards,
> > George Machitidze
> >
> >
> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com> wrote:
> >>
> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com>
> wrote:
> >> > Hi
> >> >
> >> > I want to force rpm during the package update or install to check if
> RPM
> >> > package is signed (public key is imported).
> >> > Is there a safe way to do this?
> >>
> >> So you can add -K|--checksig to your installation command if using rpm
> >> directly (ie: rpm -ivhK package.rpm)
> >>
> >> I don't know how one would force that as a system wide configuration
> >> option. Setting it as an alias doesn't seem to work because of other
> >> non install related commands not liking their options after the -K.
> >>
> >> With yum you can set a repository to gpgcheck=1 which will force it
> >> unless manually disabled.
> >> _______________________________________________
> >> Rpm-list mailing list
> >> Rpm-list at lists.rpm.org
> >> http://lists.rpm.org/mailman/listinfo/rpm-list
> >
> >
> >
> > _______________________________________________
> > Rpm-list mailing list
> > Rpm-list at lists.rpm.org
> > http://lists.rpm.org/mailman/listinfo/rpm-list
> >
> _______________________________________________
> Rpm-list mailing list
> Rpm-list at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120417/1cba1c4e/attachment-0001.html>

More information about the Rpm-list mailing list