[Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked (#1598)
Dmitry Antipov
notifications at github.com
Wed Mar 24 16:30:13 UTC 2021
Shouldn't RPM treat the revoked (sub)key(s) as no longer valid? I'm trying to fix the simple use case with the only revoked subkey. IOW after importing:
```
sec rsa4096/D8D1E0ECD0EE67F7
created: 2021-03-24 expires: 2023-03-24 usage: C
trust: ultimate validity: ultimate
The following key was revoked on 2021-03-24 by RSA key D8D1E0ECD0EE67F7 Dmitry Antipov <dantipov at cloudlinux.com>
ssb rsa3072/03CB9273F10DB1D4
created: 2021-03-24 revoked: 2021-03-24 usage: S
[ultimate] (1). Dmitry Antipov <dantipov at cloudlinux.com>
[ultimate] (2) CloudLinux, Inc. <info at cloudlinux.com>
```
the package previously signed as:
```
Signature : RSA/SHA256, Wed Mar 24 12:16:55 2021, Key ID 03cb9273f10db1d4
```
should not pass verification:
```
$ rpm -K foo-1.0-1.x86_64.rpm
foo-1.0-1.x86_64.rpm: digests SIGNATURES NOT OK
```
and warning should be issued during an installation:
```
$ rpm -i foo-1.0-1.x86_64.rpm
warning: foo-1.0-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID f10db1d4: NOKEY
```
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210324/2aeb63a0/attachment.html>
More information about the Rpm-maint
mailing list