[Rpm-maint] [rpm-software-management/rpm] Distinguish whether a signature failure is due to legacy crypto or a bad signature (Issue #2402)
Panu Matilainen
notifications at github.com
Thu Mar 2 07:55:41 UTC 2023
Just tested this, and it makes rpm do roughly the right thing without any changes required. Already installed packages are left alone:
> [root at localhost brpm]# ./rpm -q teams
teams-1.3.00.16851-1.x86_64
[root at localhost brpm]# ./rpm -qvv teams 2>&1|tail -5
Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED
Header SHA256 digest: OK
Header SHA1 digest: OK
teams-1.3.00.16851-1.x86_64
D: Exit status: 0
...and can be removed without trickery, but new installations are prevented:
> [root at localhost brpm]# ./rpm -e teams
[root at localhost brpm]# ./rpm -Uvh --noscripts ~pmatilai/Downloads/teams-1.3.00.16851-1.x86_64.rpm
warning: /home/pmatilai/Downloads/teams-1.3.00.16851-1.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED
Verifying... ################################# [100%]
Preparing... ################################# [100%]
package teams-1.3.00.16851-1.x86_64 does not verify: Header V4 RSA/SHA256 Signature, key ID be1229cf: NOTTRUSTED
Which is basically just what the doctor ordered, and applies to 4.18.x too. We should probably add a warning message to the installed-but-not-trusted case, but you can go ahead and make a release with this change without having to wait for rpm.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2402#issuecomment-1451441935
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2402/1451441935 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230301/2baf1ebb/attachment.html>
More information about the Rpm-maint
mailing list