[Rpm-maint] [rpm-software-management/rpm] rpmkeys: --checksig should require valid signatures (#1630)
Demi Marie Obenour
notifications at github.com
Sun Apr 11 12:14:05 UTC 2021
`rpmkeys --checksig` exists specifically to verify the signatures on a
package. Therefore, it should imply `--define=_pkgverify_level all` and
`--define=_pkgverify_flags 0x0`. The current behavior is both
counterintuitive and dangerous.
The RPM testsuite relies heavily on controlling the package verification
level via `--define=_pkgverify_level $lvl`. Therefore, add two new
flags: `--no-require-digests` and `--allow-unsigned`. These are
equivalent to `--nodigests` and `--nosignatures`, respectively, except
that they only change whether digests (resp. signatures) are *required*,
not whether they are checked at all. Additionally, update the testsuite
to use the new flags and expect the new NOTFOUND lines. This accounts
for most of the changes.
You can view, comment on, or merge this pull request online at:
https://github.com/rpm-software-management/rpm/pull/1630
-- Commit Summary --
* rpmkeys: --checksig should require valid signatures
-- File Changes --
M lib/poptALL.c (11)
M lib/rpmcli.h (2)
M rpmkeys.c (4)
M tests/rpmsigdig.at (180)
M tests/rpmvfylevel.at (36)
-- Patch Links --
https://github.com/rpm-software-management/rpm/pull/1630.patch
https://github.com/rpm-software-management/rpm/pull/1630.diff
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1630
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210411/cea10c2f/attachment.html>
More information about the Rpm-maint
mailing list