[Rpm-maint] [rpm-software-management/rpm] Cannot import a GPG key with signatures (#1306)

Demi Marie Obenour notifications at github.com
Sat Dec 26 17:52:15 UTC 2020


> > > > > Yes, this is a known - or not so well known - limitation. As the signature check is basically done by hand it lack a lot of feature one would expect of GPG proper.
> > > > 
> > > > 
> > > > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
> > > 
> > > 
> > > Rust is not acceptable due to its weak portability.
> > 
> > 
> > Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a buffer overflow not too long ago. We can always detect at compile-time if the Rust library is available, and fall back to the built-in parser if it is not.
> 
> The issue is that RPM has to work on _everything_. RPM is used on Linux, Windows (!!!), OS/2 (!!!!!), AIX, IRIX, macOS, and so on. Several of these platforms cannot use Rust or will never get Rust ports.

I had not thought of that.  Does LLVM support all of those platforms?  If so, a `#[no_std]` build of rpgp (that is, one that doesn’t use the standard library) should work on them.

> > That said, there are C libraries that we can use instead, such as the one used by Thunderbird.
> 
> I think good C libraries for GPG would actually be really helpful, since we could use it throughout the RPM package management stack then. Relying on GnuPG causes major issues, especially in containers and offline provisioning cases.

We still need to be able to call an external GnuPG program for signing, since I doubt any of the libraries will get smartcard support.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751379645
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201226/4229df36/attachment-0001.html>


More information about the Rpm-maint mailing list