[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked (#1598)

Dmitry Antipov notifications at github.com
Wed Mar 24 16:30:13 UTC 2021


Shouldn't RPM treat the revoked (sub)key(s) as no longer valid? I'm trying to fix the simple use case with the only revoked subkey. IOW after importing:
```
sec  rsa4096/D8D1E0ECD0EE67F7
     created: 2021-03-24  expires: 2023-03-24  usage: C   
     trust: ultimate      validity: ultimate
The following key was revoked on 2021-03-24 by RSA key D8D1E0ECD0EE67F7 Dmitry Antipov <dantipov at cloudlinux.com>
ssb  rsa3072/03CB9273F10DB1D4
     created: 2021-03-24  revoked: 2021-03-24  usage: S   
[ultimate] (1). Dmitry Antipov <dantipov at cloudlinux.com>
[ultimate] (2)  CloudLinux, Inc. <info at cloudlinux.com>
```
the package previously signed as:
```
Signature   : RSA/SHA256, Wed Mar 24 12:16:55 2021, Key ID 03cb9273f10db1d4
```
should not pass verification:
```
$ rpm -K foo-1.0-1.x86_64.rpm 
foo-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK
```
and warning should be issued during an installation:
```
$ rpm -i foo-1.0-1.x86_64.rpm 
warning: foo-1.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID f10db1d4: NOKEY
```


-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210324/2aeb63a0/attachment.html>


More information about the Rpm-maint mailing list