[Rpm-maint] [rpm-software-management/rpm] Add pgpVerifySignature2 (PR #2453)

Panu Matilainen notifications at github.com
Fri Mar 31 07:38:37 UTC 2023


Some minor wrinkles to sort out on both sides, but this indeed makes a world of difference for understanding what's going on:

> [pmatilai🎩︎localhost brpm]$ ./rpmkeys -Kv ~/Downloads/anydesk-6.2.1-1.el8.x86_64.rpm 
/home/pmatilai/Downloads/anydesk-6.2.1-1.el8.x86_64.rpm:
error: Error verifying signature: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29:
  Signature is OK, but key is not trusted: verification relies on legacy crypto
  error: Error verifying signature: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29:
  Signature is OK, but key is not trusted: verification relies on legacy crypto
      Header V3 RSA/SHA1 Signature, key ID cdffde29: BAD
    Header SHA1 digest: OK
    V3 RSA/SHA1 Signature, key ID cdffde29: BAD
    MD5 digest: OK

> [pmatilai🎩︎localhost brpm]$ ./rpmkeys -Kv ~/Downloads/anydesk-6.1.1-1.el8.x86_64.rpm 
/home/pmatilai/Downloads/anydesk-6.1.1-1.el8.x86_64.rpm:
error: Error verifying signature: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29:
  No binding signature at time 2021-04-13T11:08:37Z
  error: Error verifying signature: Verifying a signature using certificate D56311E5FF3B6F39D5A16ABE18DF3741CDFFDE29:
  No binding signature at time 2021-04-13T11:08:37Z
      Header V3 RSA/SHA1 Signature, key ID cdffde29: BAD
    Header SHA1 digest: OK
    V3 RSA/SHA1 Signature, key ID cdffde29: BAD
    MD5 digest: OK

This seems more than adequate for 4.18.x but I'm now wondering if we shouldn't go ahead and wire this up all the way through in 4.19, there's a long-standing need for a saner package verification public API anyway... (#2041) Mind you, I'm not expecting you to do that work, just thinking out loud.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/2453#issuecomment-1491451359
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/pull/2453/c1491451359 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230331/2a2e046c/attachment.html>


More information about the Rpm-maint mailing list