[Rpm-maint] [rpm-software-management/rpm] Cannot import a GPG key with signatures (#1306)

Demi Marie Obenour notifications at github.com
Sat Dec 26 18:58:22 UTC 2020


> > > > > > > Yes, this is a known - or not so well known - limitation. As the signature check is basically done by hand it lack a lot of feature one would expect of GPG proper.
> > > > > > 
> > > > > > 
> > > > > > Can we (as an option) use a third-party library, such as [rpgp](/rpgp/rpgp)?
> > > > > 
> > > > > 
> > > > > Rust is not acceptable due to its weak portability.
> > > > 
> > > > 
> > > > Writing a full PGP packet parser in C is too risky, IMO. GPG itself had a buffer overflow not too long ago. We can always detect at compile-time if the Rust library is available, and fall back to the built-in parser if it is not.
> > > 
> > > 
> > > The issue is that RPM has to work on _everything_. RPM is used on Linux, Windows (!!!), OS/2 (!!!!!), AIX, IRIX, macOS, and so on. Several of these platforms cannot use Rust or will never get Rust ports.
> > 
> > 
> > I had not thought of that. Does LLVM support all of those platforms? If so, a `#[no_std]` build of rpgp (that is, one that doesn’t use the standard library) should work on them.
> 
> It does not. Most of them will likely never receive an LLVM port, because they're not considered important enough to receive it, and GCC already exists. This is one of the unfortunate downsides to Rust being an underspecified language that cannot support multiple conforming implementations.

At the very least, we can use a Rust library on the platforms that support it (most of the important ones) and use our built-in implementation on the others.  We should also consider dropping IRIX and probably OS/2 support, as both have been discontinued.

> > > > That said, there are C libraries that we can use instead, such as the one used by Thunderbird.
> > > 
> > > 
> > > I think good C libraries for GPG would actually be really helpful, since we could use it throughout the RPM package management stack then. Relying on GnuPG causes major issues, especially in containers and offline provisioning cases.
> > 
> > 
> > We still need to be able to call an external GnuPG program for signing, since I doubt any of the libraries will get smartcard support.
> 
> Ugh, I always forget about smartcards...

Fortunately, signing is the least worrisome part of this.  It operates on trusted data and doesn’t involve parsing.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1306#issuecomment-751385895
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20201226/966c1e53/attachment.html>


More information about the Rpm-maint mailing list