[Rpm-maint] [rpm-software-management/rpm] PGP key identifiers use binding signature's creation time, not certificate creation time (Issue #2004)
Demi Marie Obenour
notifications at github.com
Mon Apr 11 20:41:56 UTC 2022
> The first thing I see is that there is a slight mismatch between the semantics that I've implemented in the Sequoia backend: the Sequoia backend returns all subkeys, even if they are revoked (it checks their validity when verifying a signature). That's easy enough to fix.
I’d prefer Sequoia’s semantics here. #1993 also returns all subkeys, though it refuses to verify a signature made by an invalid subkey (revoked or cannot sign). I suggest returning `RPMRC_NOTTRUSTED` here, so that RPM doesn’t get confused when verifying header signatures from the RPMDB. The goal of #1993 is that `gpg2 --export --export-options=export-minimal --armor "--output=trusted.asc" -- "$TRUSTED_FINGERPRINT" && rpmkeys --import - < trusted.asc` should be safe, and it comes quite close to achieving that goal.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2004#issuecomment-1095546385
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2004/1095546385 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220411/71fd9b69/attachment.html>
More information about the Rpm-maint
mailing list