Force RPM to check GPG key
George Machitidze
giomac at gmail.com
Tue Apr 17 14:38:17 UTC 2012
Even more... -K/--checksig is not checking key at all and it doesn't work
with -i or -U.
Best regards,
George Machitidze
On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac at gmail.com> wrote:
> Thanks Greg!
>
> I've added macro file in /etc/rpm and rpm has taken values for vsflags,
> but still, it has no effect on installation or upgrades or anything, tried
> 0x00000 and 0xf0000.
>
> Found definitions in here:
>
> http://rpm5.org/community/rpm-users/0463.html
>
> [root at srv rpm]# rpm --showrc|grep -i vs
> -14: __vsflags 0xf0000
> -14: _vsflags_build %{__vsflags}
> -14: _vsflags_erase 0x00000
> -14: _vsflags_install 0x00000
> -14: _vsflags_query %{__vsflags}
> -14: _vsflags_rebuilddb %{__vsflags}
> -14: _vsflags_up2date %{__vsflags}
> -14: _vsflags_verify %{__vsflags}
>
> No luck :|
>
> Best regards,
> George Machitidze
>
>
>
> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com> wrote:
>
>> I figured that would be the case.
>>
>> JJ just told me that --checksig only gets run separate from --install,
>> which seemed kinda silly to me until he pointed out that this is
>> because rpm is configuredby default to check headers+payload against
>> signature if possible.
>>
>> So by default it is supposedly doing this already, it is just an 'if
>> possible' scenario. So if you don't have a key to verify against it
>> just moves forward, would be my understanding.
>>
>> I did look in `rpm --showrc` for any value that might seem to force
>> this but was unable to locate one (I didn't look at each value, just
>> tried several greps). JJ suggested i dig through /usrlib/rpm/macros
>> and in there I found vsflags. The default value is 0xf0000 which
>> means if set, check header+payload (if possible). If you look in this
>> file you can see the options and if you have a better config you can
>> set it in a macro file over in /etc/rpm. Would have been nice if the
>> variable name was a bit more descriptive for the sake of grep but such
>> is life i guess.
>>
>> -greg
>>
>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com>
>> wrote:
>> > Thanks
>> >
>> > I need to have this option by default without adding command line
>> option to
>> > rpm. yum is checking for GPG key by default in case gpgcheck is not set
>> to
>> > 0.
>> > Maybe it's possible through rpmrc, but I couldn't find option for that.
>> >
>> > Best regards,
>> > George Machitidze
>> >
>> >
>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com>
>> wrote:
>> >>
>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com>
>> wrote:
>> >> > Hi
>> >> >
>> >> > I want to force rpm during the package update or install to check if
>> RPM
>> >> > package is signed (public key is imported).
>> >> > Is there a safe way to do this?
>> >>
>> >> So you can add -K|--checksig to your installation command if using rpm
>> >> directly (ie: rpm -ivhK package.rpm)
>> >>
>> >> I don't know how one would force that as a system wide configuration
>> >> option. Setting it as an alias doesn't seem to work because of other
>> >> non install related commands not liking their options after the -K.
>> >>
>> >> With yum you can set a repository to gpgcheck=1 which will force it
>> >> unless manually disabled.
>> >> _______________________________________________
>> >> Rpm-list mailing list
>> >> Rpm-list at lists.rpm.org
>> >> http://lists.rpm.org/mailman/listinfo/rpm-list
>> >
>> >
>> >
>> > _______________________________________________
>> > Rpm-list mailing list
>> > Rpm-list at lists.rpm.org
>> > http://lists.rpm.org/mailman/listinfo/rpm-list
>> >
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list at lists.rpm.org
>> http://lists.rpm.org/mailman/listinfo/rpm-list
>>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120417/e4abbf91/attachment.html>
More information about the Rpm-list
mailing list