[Rpm-maint] [rpm-software-management/rpm] OpenPGP: Function `pgpParsePkts` supports only "PGP PUBLIC KEY BLOCK" block, "PGP SIGNATURE" is needed (Issue #2512)
Jaroslav Rohel
notifications at github.com
Sun May 21 18:25:51 UTC 2023
@nwalfield
> Why does librepo need to parse signature files?
Librepo is used to download data from rpm repositories (metadata, packages, ...). Repository metadata can be signed with an OpenPGP signature. And librepo can verify them.
Sample on an existing repository:
```
[google-chrome]
name=google-chrome
baseurl=https://dl.google.com/linux/chrome/rpm/stable/x86_64
skip_if_unavailable=True
gpgcheck=1
gpgkey=https://dl.google.com/linux/linux_signing_key.pub
enabled=1
repo_gpgcheck=1
```
`gpgkey` is a URL to a file containing multiple blocks of ASCII armored public keys (there can be multiple URLs.)
The repository contains a "repomd.xml" file and a "repomd.xml.asc" file. **The "repomd.xml.asc" file is an ASCII armored OpenPGP signature that librepo needs to load in order to verify the "repomd.xml" file.**
Librepo uses GpgMe. We now have a high priority to remove the dependency on GpgMe. That's why I created a new implementation in the librepo that uses the librpm API instead of GpgMe. Now it works (with some problems that I described in issues, but it works).
If the `pgpParsePkts` function does not support ASCII armored signature parsing, how do I load it in the librepo? New better function? Okay, but we need it quickly.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2512#issuecomment-1556250287
You are receiving this because you are subscribed to this thread.
Message ID: <rpm-software-management/rpm/issues/2512/1556250287 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20230521/cadff37c/attachment.html>
More information about the Rpm-maint
mailing list