[Rpm-maint] [rpm-software-management/rpm] Reconsider GPG key loading from %_keyringpath (#1543)
Dan Čermák
notifications at github.com
Wed Feb 17 08:06:01 UTC 2021
At the moment rpm will load keys from a pre-defined directory (`%{_keyringpath}`) and **only** if no keys are found there, will it try to load keys from the rpmdb: https://github.com/rpm-software-management/rpm/blob/1efe530450b5bdbd90128327be56c87fa1b6843b/lib/rpmts.c#L382
This is a bit unfortunate imho, because at least as far as I am aware, no distribution really uses `%_keyringpath` to store keys there (the directory does not exist on openSUSE Tumbleweed nor on Fedora 33 and it is also not provided by any package). Now if someone drops a `*.key` file into `%_keyringpath`, they'll effectively kill key verification as everyone appears to be storing keys in the rpmdb nowadays.
Therefore I would propose to revert https://github.com/rpm-software-management/rpm/commit/9d200565744d3023053d64f627c82cf2451fa701.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1543
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210217/6b9ed875/attachment-0001.html>
More information about the Rpm-maint
mailing list