Force RPM to check GPG key

Greg Swift gregswift at gmail.com
Tue Apr 17 15:32:31 UTC 2012


JJ pointed out that this makes it appear that the package doesn't
actually have a signature.  I'm not sure why the -K would say it was
okay instead of saying there wasn't one, but *shrug*

On Tue, Apr 17, 2012 at 09:41, George Machitidze <giomac at gmail.com> wrote:
> [root at proxy SPECS]# rpm -qip /root/automake-1.11.1-0.test.noarch.rpm |grep
> Sign
> Signature   : (none)
> [root at proxy SPECS]# rpm -K /root/automake-1.11.1-0.test.noarch.rpm
> /root/automake-1.11.1-0.test.noarch.rpm: sha1 md5 OK
>
> Best regards,
> George Machitidze
>
>
>
> On Tue, Apr 17, 2012 at 6:38 PM, George Machitidze <giomac at gmail.com> wrote:
>>
>> Even more... -K/--checksig is not checking key at all and it doesn't work
>> with -i or -U.
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac at gmail.com>
>> wrote:
>>>
>>> Thanks Greg!
>>>
>>> I've added macro file in /etc/rpm and rpm has taken values for vsflags,
>>> but still, it has no effect on installation or upgrades or anything, tried
>>> 0x00000 and 0xf0000.
>>>
>>> Found definitions in here:
>>>
>>> http://rpm5.org/community/rpm-users/0463.html
>>>
>>> [root at srv rpm]# rpm --showrc|grep -i vs
>>> -14: __vsflags  0xf0000
>>> -14: _vsflags_build     %{__vsflags}
>>> -14: _vsflags_erase     0x00000
>>> -14: _vsflags_install   0x00000
>>> -14: _vsflags_query     %{__vsflags}
>>> -14: _vsflags_rebuilddb %{__vsflags}
>>> -14: _vsflags_up2date   %{__vsflags}
>>> -14: _vsflags_verify    %{__vsflags}
>>>
>>> No luck :|
>>>
>>> Best regards,
>>> George Machitidze
>>>
>>>
>>>
>>> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com> wrote:
>>>>
>>>> I figured that would be the case.
>>>>
>>>> JJ just told me that --checksig only gets run separate from --install,
>>>> which seemed kinda silly to me until he pointed out that this is
>>>> because rpm is configuredby default  to check headers+payload against
>>>> signature if possible.
>>>>
>>>> So by default it is supposedly doing this already, it is just an 'if
>>>> possible' scenario.  So if you don't have a key to verify against it
>>>> just moves forward, would be my understanding.
>>>>
>>>> I did look in `rpm --showrc` for any value that might seem to force
>>>> this but was unable to locate one (I didn't look at each value, just
>>>> tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
>>>> and in there I found vsflags.   The default value is 0xf0000 which
>>>> means if set, check header+payload (if possible).  If you look in this
>>>> file you can see the options and if you have a better config you can
>>>> set it in a macro file over in /etc/rpm.  Would have been nice if the
>>>> variable name was a bit more descriptive for the sake of grep but such
>>>> is life i guess.
>>>>
>>>> -greg
>>>>
>>>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com>
>>>> wrote:
>>>> > Thanks
>>>> >
>>>> > I need to have this option by default without adding command line
>>>> > option to
>>>> > rpm. yum is checking for GPG key by default in case gpgcheck is not
>>>> > set to
>>>> > 0.
>>>> > Maybe it's possible through rpmrc, but I couldn't find option for
>>>> > that.
>>>> >
>>>> > Best regards,
>>>> > George Machitidze
>>>> >
>>>> >
>>>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com>
>>>> > wrote:
>>>> >>
>>>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com>
>>>> >> wrote:
>>>> >> > Hi
>>>> >> >
>>>> >> > I want to force rpm during the package update or install to check
>>>> >> > if RPM
>>>> >> > package is signed (public key is imported).
>>>> >> > Is there a safe way to do this?
>>>> >>
>>>> >> So you can add -K|--checksig to your installation command if using
>>>> >> rpm
>>>> >> directly (ie: rpm -ivhK package.rpm)
>>>> >>
>>>> >> I don't know how one would force that as a system wide configuration
>>>> >> option. Setting it as an alias doesn't seem to work because of other
>>>> >> non install related commands not liking their options after the -K.
>>>> >>
>>>> >> With yum you can set a repository to gpgcheck=1 which will force it
>>>> >> unless manually disabled.
>>>> >> _______________________________________________
>>>> >> Rpm-list mailing list
>>>> >> Rpm-list at lists.rpm.org
>>>> >> http://lists.rpm.org/mailman/listinfo/rpm-list
>>>> >
>>>> >
>>>> >
>>>> > _______________________________________________
>>>> > Rpm-list mailing list
>>>> > Rpm-list at lists.rpm.org
>>>> > http://lists.rpm.org/mailman/listinfo/rpm-list
>>>> >
>>>> _______________________________________________
>>>> Rpm-list mailing list
>>>> Rpm-list at lists.rpm.org
>>>> http://lists.rpm.org/mailman/listinfo/rpm-list
>>>
>>>
>>
>
>
> _______________________________________________
> Rpm-list mailing list
> Rpm-list at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-list
>


More information about the Rpm-list mailing list