[Rpm-maint] [rpm-software-management/rpm] Distinguish whether a signature failure is due to legacy crypto or a bad signature (Issue #2402)

Panu Matilainen notifications at github.com
Thu Mar 2 07:55:41 UTC 2023


Just tested this, and it makes rpm do roughly the right thing without any changes required. Already installed packages are left alone:

> [root at localhost brpm]# ./rpm -q teams
teams-1.3.00.16851-1.x86_64
[root at localhost brpm]# ./rpm -qvv teams 2>&1|tail -5
Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED
Header SHA256 digest: OK
Header SHA1 digest: OK
teams-1.3.00.16851-1.x86_64
D: Exit status: 0

...and can be removed without trickery, but new installations are prevented:

> [root at localhost brpm]# ./rpm -e teams
[root at localhost brpm]# ./rpm -Uvh --noscripts ~pmatilai/Downloads/teams-1.3.00.16851-1.x86_64.rpm
warning: /home/pmatilai/Downloads/teams-1.3.00.16851-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED
Verifying...                          ################################# [100%]
Preparing...                          ################################# [100%]
	package teams-1.3.00.16851-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED

Which is basically just what the doctor ordered, and applies to 4.18.x too. We should probably add a warning message to the installed-but-not-trusted case, but you can go ahead and make a release with this change without having to wait for rpm.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2402#issuecomment-1451441935
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2402/1451441935 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230301/2baf1ebb/attachment.html>


More information about the Rpm-maint mailing list