[Rpm-maint] [rpm-software-management/rpm] PGP key identifiers use binding signature's creation time, not certificate creation time (Issue #2004)

Neal H. Walfield notifications at github.com
Mon Apr 8 08:10:03 UTC 2024


> You can't trust keys.openpgp.org to only return key material for the query, so you need to check the returned data to make sure it doesn't contain an extra pubkey.

Yes.  Your trust root is the fingerprint (which is what is normally authenticated--if anything is authenticated at all), and then you chain forward via the binding signatures and drop or ignore any components that you can't authenticate.

> It would be safe if rpmkeys had a --freshen option that makes sure no new pubkeys are imported.

Yes that would indeed be an improvement.

-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/2004#issuecomment-2042122165
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/2004/2042122165 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240408/51046e05/attachment.html>


More information about the Rpm-maint mailing list