Force RPM to check GPG key

George Machitidze giomac at gmail.com
Wed Apr 18 07:35:32 UTC 2012


You are right, package is not signed with key, but -K says it's fine. RHEL
5 x86_64, up2date, no modifications. Strange...

Best regards,
George Machitidze


On Tue, Apr 17, 2012 at 7:32 PM, Greg Swift <gregswift at gmail.com> wrote:

> JJ pointed out that this makes it appear that the package doesn't
> actually have a signature.  I'm not sure why the -K would say it was
> okay instead of saying there wasn't one, but *shrug*
>
> On Tue, Apr 17, 2012 at 09:41, George Machitidze <giomac at gmail.com> wrote:
> > [root at proxy SPECS]# rpm -qip /root/automake-1.11.1-0.test.noarch.rpm
> |grep
> > Sign
> > Signature   : (none)
> > [root at proxy SPECS]# rpm -K /root/automake-1.11.1-0.test.noarch.rpm
> > /root/automake-1.11.1-0.test.noarch.rpm: sha1 md5 OK
> >
> > Best regards,
> > George Machitidze
> >
> >
> >
> > On Tue, Apr 17, 2012 at 6:38 PM, George Machitidze <giomac at gmail.com>
> wrote:
> >>
> >> Even more... -K/--checksig is not checking key at all and it doesn't
> work
> >> with -i or -U.
> >>
> >> Best regards,
> >> George Machitidze
> >>
> >>
> >>
> >> On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac at gmail.com>
> >> wrote:
> >>>
> >>> Thanks Greg!
> >>>
> >>> I've added macro file in /etc/rpm and rpm has taken values for vsflags,
> >>> but still, it has no effect on installation or upgrades or anything,
> tried
> >>> 0x00000 and 0xf0000.
> >>>
> >>> Found definitions in here:
> >>>
> >>> http://rpm5.org/community/rpm-users/0463.html
> >>>
> >>> [root at srv rpm]# rpm --showrc|grep -i vs
> >>> -14: __vsflags  0xf0000
> >>> -14: _vsflags_build     %{__vsflags}
> >>> -14: _vsflags_erase     0x00000
> >>> -14: _vsflags_install   0x00000
> >>> -14: _vsflags_query     %{__vsflags}
> >>> -14: _vsflags_rebuilddb %{__vsflags}
> >>> -14: _vsflags_up2date   %{__vsflags}
> >>> -14: _vsflags_verify    %{__vsflags}
> >>>
> >>> No luck :|
> >>>
> >>> Best regards,
> >>> George Machitidze
> >>>
> >>>
> >>>
> >>> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com>
> wrote:
> >>>>
> >>>> I figured that would be the case.
> >>>>
> >>>> JJ just told me that --checksig only gets run separate from --install,
> >>>> which seemed kinda silly to me until he pointed out that this is
> >>>> because rpm is configuredby default  to check headers+payload against
> >>>> signature if possible.
> >>>>
> >>>> So by default it is supposedly doing this already, it is just an 'if
> >>>> possible' scenario.  So if you don't have a key to verify against it
> >>>> just moves forward, would be my understanding.
> >>>>
> >>>> I did look in `rpm --showrc` for any value that might seem to force
> >>>> this but was unable to locate one (I didn't look at each value, just
> >>>> tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
> >>>> and in there I found vsflags.   The default value is 0xf0000 which
> >>>> means if set, check header+payload (if possible).  If you look in this
> >>>> file you can see the options and if you have a better config you can
> >>>> set it in a macro file over in /etc/rpm.  Would have been nice if the
> >>>> variable name was a bit more descriptive for the sake of grep but such
> >>>> is life i guess.
> >>>>
> >>>> -greg
> >>>>
> >>>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com>
> >>>> wrote:
> >>>> > Thanks
> >>>> >
> >>>> > I need to have this option by default without adding command line
> >>>> > option to
> >>>> > rpm. yum is checking for GPG key by default in case gpgcheck is not
> >>>> > set to
> >>>> > 0.
> >>>> > Maybe it's possible through rpmrc, but I couldn't find option for
> >>>> > that.
> >>>> >
> >>>> > Best regards,
> >>>> > George Machitidze
> >>>> >
> >>>> >
> >>>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com>
> >>>> > wrote:
> >>>> >>
> >>>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com
> >
> >>>> >> wrote:
> >>>> >> > Hi
> >>>> >> >
> >>>> >> > I want to force rpm during the package update or install to check
> >>>> >> > if RPM
> >>>> >> > package is signed (public key is imported).
> >>>> >> > Is there a safe way to do this?
> >>>> >>
> >>>> >> So you can add -K|--checksig to your installation command if using
> >>>> >> rpm
> >>>> >> directly (ie: rpm -ivhK package.rpm)
> >>>> >>
> >>>> >> I don't know how one would force that as a system wide
> configuration
> >>>> >> option. Setting it as an alias doesn't seem to work because of
> other
> >>>> >> non install related commands not liking their options after the -K.
> >>>> >>
> >>>> >> With yum you can set a repository to gpgcheck=1 which will force it
> >>>> >> unless manually disabled.
> >>>> >> _______________________________________________
> >>>> >> Rpm-list mailing list
> >>>> >> Rpm-list at lists.rpm.org
> >>>> >> http://lists.rpm.org/mailman/listinfo/rpm-list
> >>>> >
> >>>> >
> >>>> >
> >>>> > _______________________________________________
> >>>> > Rpm-list mailing list
> >>>> > Rpm-list at lists.rpm.org
> >>>> > http://lists.rpm.org/mailman/listinfo/rpm-list
> >>>> >
> >>>> _______________________________________________
> >>>> Rpm-list mailing list
> >>>> Rpm-list at lists.rpm.org
> >>>> http://lists.rpm.org/mailman/listinfo/rpm-list
> >>>
> >>>
> >>
> >
> >
> > _______________________________________________
> > Rpm-list mailing list
> > Rpm-list at lists.rpm.org
> > http://lists.rpm.org/mailman/listinfo/rpm-list
> >
> _______________________________________________
> Rpm-list mailing list
> Rpm-list at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120418/29c7c554/attachment-0001.html>


More information about the Rpm-list mailing list