[Rpm-maint] [rpm-software-management/rpm] Distinguish between trusted and untrusted signatures and keys. (PR #1993)
Panu Matilainen
notifications at github.com
Wed Apr 13 09:48:58 UTC 2022
NOTTRUSTED does seem like an entirely reasonable way to handle eg revoked subkeys as such, but sometimes sane behavior doesn't quite fit with the mad underlying OK/NOKEY etc semantics in rpm. I think this will require some more chewing before swallowing, if only because it quite fundamentally changes the landscape of rpm signature handling.
Up to now, imported == trusted since beginning of times, and there has never been a single case where rpm returns NOTTRUSTED. Which means that callers have no clear idea what it means and where they might encounter it, and so there almost certainly will be code in and out of rpm which will behave in unexpected/unwanted ways when presented with something else than OK/FAIL/NOKEY return. This also calls for test for the case where an installed packages has an NOTTRUSTED signature.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/1993#issuecomment-1097830727
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/pull/1993/c1097830727 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220413/c1783597/attachment-0001.html>
More information about the Rpm-maint
mailing list