Force RPM to check GPG key

Tue Apr 17 14:38:17 UTC 2012

Even more... -K/--checksig is not checking key at all and it doesn't work
with -i or -U.

Best regards,
George Machitidze

On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac at gmail.com> wrote:

> Thanks Greg!
>
> I've added macro file in /etc/rpm and rpm has taken values for vsflags,
> but still, it has no effect on installation or upgrades or anything, tried
> 0x00000 and 0xf0000.
>
> Found definitions in here:
>
> http://rpm5.org/community/rpm-users/0463.html
>
> [root at srv rpm]# rpm --showrc|grep -i vs
> -14: __vsflags  0xf0000
> -14: _vsflags_build     %{__vsflags}
> -14: _vsflags_erase     0x00000
> -14: _vsflags_install   0x00000
> -14: _vsflags_query     %{__vsflags}
> -14: _vsflags_rebuilddb %{__vsflags}
> -14: _vsflags_up2date   %{__vsflags}
> -14: _vsflags_verify    %{__vsflags}
>
> No luck :|
>
> Best regards,
> George Machitidze
>
>
>
> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com> wrote:
>
>> I figured that would be the case.
>>
>> JJ just told me that --checksig only gets run separate from --install,
>> which seemed kinda silly to me until he pointed out that this is
>> because rpm is configuredby default  to check headers+payload against
>> signature if possible.
>>
>> So by default it is supposedly doing this already, it is just an 'if
>> possible' scenario.  So if you don't have a key to verify against it
>> just moves forward, would be my understanding.
>>
>> I did look in `rpm --showrc` for any value that might seem to force
>> this but was unable to locate one (I didn't look at each value, just
>> tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
>> and in there I found vsflags.   The default value is 0xf0000 which
>> means if set, check header+payload (if possible).  If you look in this
>> file you can see the options and if you have a better config you can
>> set it in a macro file over in /etc/rpm.  Would have been nice if the
>> variable name was a bit more descriptive for the sake of grep but such
>> is life i guess.
>>
>> -greg
>>
>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com>
>> wrote:
>> > Thanks
>> >
>> > I need to have this option by default without adding command line
>> option to
>> > rpm. yum is checking for GPG key by default in case gpgcheck is not set
>> to
>> > 0.
>> > Maybe it's possible through rpmrc, but I couldn't find option for that.
>> >
>> > Best regards,
>> > George Machitidze
>> >
>> >
>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com>
>> wrote:
>> >>
>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com>
>> wrote:
>> >> > Hi
>> >> >
>> >> > I want to force rpm during the package update or install to check if
>> RPM
>> >> > package is signed (public key is imported).
>> >> > Is there a safe way to do this?
>> >>
>> >> So you can add -K|--checksig to your installation command if using rpm
>> >> directly (ie: rpm -ivhK package.rpm)
>> >>
>> >> I don't know how one would force that as a system wide configuration
>> >> option. Setting it as an alias doesn't seem to work because of other
>> >> non install related commands not liking their options after the -K.
>> >>
>> >> With yum you can set a repository to gpgcheck=1 which will force it
>> >> unless manually disabled.
>> >> _______________________________________________
>> >> Rpm-list mailing list
>> >> Rpm-list at lists.rpm.org
>> >> http://lists.rpm.org/mailman/listinfo/rpm-list
>> >
>> >
>> >
>> > _______________________________________________
>> > Rpm-list mailing list
>> > Rpm-list at lists.rpm.org
>> > http://lists.rpm.org/mailman/listinfo/rpm-list
>> >
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list at lists.rpm.org
>> http://lists.rpm.org/mailman/listinfo/rpm-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120417/e4abbf91/attachment.html>