[Rpm-maint] [rpm-software-management/rpm] rpm 4.20.0 alpha fallout #1 : urpmi --no-verify is broken by rpm checking on its own (Issue #3142)

soig notifications at github.com
Thu Jun 6 19:14:00 UTC 2024


> > I guess I'll have to run a small transaction removing the offending key before importing.
> 
> Yes, there's nothing better at the moment.

I've a working patch for that.
Though that's not ideal b/c when adding a whole set of media/repos (core, nonfree, tainted -- each one existing as regular, updates, updates_testing), that mean adding/removing the same key for all.
Is there a way to get the expiry date with rpm API?

BTW other packagers are throwing stones at mea, saying there's a difference between an expired key and a revoked
key : a signature that was valid yesterday doesn't suddenly become invalid today,
just because the key expired!"
 
> > Does passing RPMPROB_FILTER_VERIFY would be enough to achieve this when calling rpmtsRun()?
> 
> Maybe, but again that verify step is NOT about signature verification as such, it could be package whose (header) signature is perfectly valid but truncated payload, or such. For "frak the signatures", IIRC you want to set rpmtsSetVfyFlags() to same as rpmtsSetVSFlags().
> 
> Note that letting verify do its job has more subtle side-effects too: installations only show as verified in the auditing log if rpm itself verified it.

That would only be set up if the urpmi verify pass failed and the user said "go on anyway" or if he sets up the no-verify option in /etc/urpmi/urpmi.cfg ot used the --no-verify option, so in regular cases that won't be an issue



-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/3142#issuecomment-2153237533
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/3142/2153237533 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20240606/bd128f9e/attachment-0001.html>


More information about the Rpm-maint mailing list