[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?
seth vidal
skvidal at linux.duke.edu
Fri Dec 15 13:54:53 UTC 2006
On Fri, 2006-12-15 at 09:56 +0000, Paul Nasrat wrote:
> On Fri, 2006-12-15 at 09:48 +0000, Paul Nasrat wrote:
> > On Fri, 2006-12-15 at 01:45 -0800, Shandy Brown wrote:
> > > > NOT OK will only occur if the file is corrupted - if it is an intact rpm
> > > > but unsigned it still has a header digest and a header+payload digest to
> > > > verify it's untampered with. Thus rpm -K tells you this is the rpm
> > > > built and intact and the payload and headers are consistent with the
> > > > digests.
> > >
> > > Is there some other method to detect that an rpm file is not signed?
> > >
> > > Other than installing it and checking with rpm -qi.
> >
> > You can do it programatically, with --queryformat or use something like
> > yum with gpgcheck=1.
>
> The traditional queryformat string used is:
>
> rpm --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' \
> -qp foo.rpm
>
> If that returns (none) then it's unsigned.
>
> Using rpmUtils module from yum:
>
> import rpmUtils
> import rpmUtils.miscutils
> t = rpmUtils.transaction.TransactionWrapper()
> h = rpmUtils.miscutils.hdrFromPackage(t,
> "sylpheed-claws-2.5.6-1.fc6.x86_64.rpm")
> rpmUtils.miscutils.getSigInfo(h)
>
> For pure rpm-python look at how getSigInfo works
rpmUtils.miscutils.checkSig()
that could relatively easily be used to do what it seems wants to be
done.
-sv
More information about the Rpm-maint
mailing list