Force RPM to check GPG key
George Machitidze
giomac at gmail.com
Tue Apr 17 14:41:25 UTC 2012
[root at proxy SPECS]# rpm -qip /root/automake-1.11.1-0.test.noarch.rpm |grep
Sign
Signature : (none)
[root at proxy SPECS]# rpm -K /root/automake-1.11.1-0.test.noarch.rpm
/root/automake-1.11.1-0.test.noarch.rpm: sha1 md5 OK
Best regards,
George Machitidze
On Tue, Apr 17, 2012 at 6:38 PM, George Machitidze <giomac at gmail.com> wrote:
> Even more... -K/--checksig is not checking key at all and it doesn't work
> with -i or -U.
>
> Best regards,
> George Machitidze
>
>
>
> On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac at gmail.com>wrote:
>
>> Thanks Greg!
>>
>> I've added macro file in /etc/rpm and rpm has taken values for vsflags,
>> but still, it has no effect on installation or upgrades or anything, tried
>> 0x00000 and 0xf0000.
>>
>> Found definitions in here:
>>
>> http://rpm5.org/community/rpm-users/0463.html
>>
>> [root at srv rpm]# rpm --showrc|grep -i vs
>> -14: __vsflags 0xf0000
>> -14: _vsflags_build %{__vsflags}
>> -14: _vsflags_erase 0x00000
>> -14: _vsflags_install 0x00000
>> -14: _vsflags_query %{__vsflags}
>> -14: _vsflags_rebuilddb %{__vsflags}
>> -14: _vsflags_up2date %{__vsflags}
>> -14: _vsflags_verify %{__vsflags}
>>
>> No luck :|
>>
>> Best regards,
>> George Machitidze
>>
>>
>>
>> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift at gmail.com> wrote:
>>
>>> I figured that would be the case.
>>>
>>> JJ just told me that --checksig only gets run separate from --install,
>>> which seemed kinda silly to me until he pointed out that this is
>>> because rpm is configuredby default to check headers+payload against
>>> signature if possible.
>>>
>>> So by default it is supposedly doing this already, it is just an 'if
>>> possible' scenario. So if you don't have a key to verify against it
>>> just moves forward, would be my understanding.
>>>
>>> I did look in `rpm --showrc` for any value that might seem to force
>>> this but was unable to locate one (I didn't look at each value, just
>>> tried several greps). JJ suggested i dig through /usrlib/rpm/macros
>>> and in there I found vsflags. The default value is 0xf0000 which
>>> means if set, check header+payload (if possible). If you look in this
>>> file you can see the options and if you have a better config you can
>>> set it in a macro file over in /etc/rpm. Would have been nice if the
>>> variable name was a bit more descriptive for the sake of grep but such
>>> is life i guess.
>>>
>>> -greg
>>>
>>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com>
>>> wrote:
>>> > Thanks
>>> >
>>> > I need to have this option by default without adding command line
>>> option to
>>> > rpm. yum is checking for GPG key by default in case gpgcheck is not
>>> set to
>>> > 0.
>>> > Maybe it's possible through rpmrc, but I couldn't find option for that.
>>> >
>>> > Best regards,
>>> > George Machitidze
>>> >
>>> >
>>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com>
>>> wrote:
>>> >>
>>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com>
>>> wrote:
>>> >> > Hi
>>> >> >
>>> >> > I want to force rpm during the package update or install to check
>>> if RPM
>>> >> > package is signed (public key is imported).
>>> >> > Is there a safe way to do this?
>>> >>
>>> >> So you can add -K|--checksig to your installation command if using rpm
>>> >> directly (ie: rpm -ivhK package.rpm)
>>> >>
>>> >> I don't know how one would force that as a system wide configuration
>>> >> option. Setting it as an alias doesn't seem to work because of other
>>> >> non install related commands not liking their options after the -K.
>>> >>
>>> >> With yum you can set a repository to gpgcheck=1 which will force it
>>> >> unless manually disabled.
>>> >> _______________________________________________
>>> >> Rpm-list mailing list
>>> >> Rpm-list at lists.rpm.org
>>> >> http://lists.rpm.org/mailman/listinfo/rpm-list
>>> >
>>> >
>>> >
>>> > _______________________________________________
>>> > Rpm-list mailing list
>>> > Rpm-list at lists.rpm.org
>>> > http://lists.rpm.org/mailman/listinfo/rpm-list
>>> >
>>> _______________________________________________
>>> Rpm-list mailing list
>>> Rpm-list at lists.rpm.org
>>> http://lists.rpm.org/mailman/listinfo/rpm-list
>>>
>>
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120417/139f83ee/attachment.html>
More information about the Rpm-list
mailing list