Jonny Heggheim writes:
On 11/01/2017 11:51 PM, Sam Varshavchik wrote: > I don't think much of expiring either. But keys for prior releases > should simply be removed, as part of the upgrade process, or on the > first boot after a successfull upgrade. > > Now, if we go this way, we have to make sure we don't turn a bad > situation into worse one. It's possible that a botched upgrade might > end up with a system that's still bootable, so prior releases pgp keys > should be left alone until it's known that fedup did its job > successfully. > > But once an upgrade is complete, prior release's pgp keys have > absolutely no value in them, whatsoever, except as an additional > potential compromise vector. Packages that was built for older releases are still distributed and used in newer versions.
So? They're simply signed by the newer release's PGP key. Big deal.
Example: A package built for Fedora 24, signed with the Fedora 25 key, running on my Fedora 26 setup. $ gpg2 < /etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-25-primary gpg: WARNING: no command supplied. Trying to guess what you mean ... pub rsa4096 2016-03-31 [SCE] C437DCCD558A66A37D6F43724089D8F2FDB19C98 uid Fedora 25 Primary (25) <fedora-25-primary@xxxxxxxxxxxxxxxxx> $ rpm -qi maven-shared-io Name : maven-shared-io Epoch : 1 Version : 3.0.0 Release : 2.fc24 Architecture: noarch Install Date: Sat 29 Oct 2016 12:26:04 AM CEST
==============================================Fedora 26 did not exist in October 2016. As such, it would be logically impossible for this package to have been installed from the Fedora 26 repository. You installed this package when you were running Fedora 25.
And removing Fedora 24/25th PGP key should have no effect, whatsoever, on currently-installed packages. PGP keys are checked only when a package gets installed. Once installed, nothing really cares about PGP signatures, and it wouldn't always be possible to verify it anyway, since config files installed by the package could obviously be changed, filestamps could be changed, etc…
I do see that maven-shared-io-3.0.0-2.fc24.src.rpm is, apparently, in the Fedora 26 repository:
[mrsam@thinkpad tmp]$ dnf download maven-shared-io Last metadata expiration check: 0:00:00 ago on Wed 01 Nov 2017 08:33:50 PM EDT. maven-shared-io-3.0.0-2.fc24.noarch.rpm 143 kB/s | 50 kB 00:00 [mrsam@thinkpad tmp]$ rpm --checksig maven-shared-io-3.0.0-2.fc24.noarch.rpm maven-shared-io-3.0.0-2.fc24.noarch.rpm: rsa sha1 (md5) pgp md5 OK I have only Fedora 26 PGP keys installed: [mrsam@thinkpad tmp]$ rpm -qa gpg-pubkey gpg-pubkey-3276f4b3-582f2526 gpg-pubkey-64dab85d-57d33e22 gpg-pubkey-9690e4af-582f231f You can confirm, yourself, that these are Fedora and RPM fusion 26 keys.I would not be able to verify the pgp signature on this package, unless it's signed by one of the keys I have installed.
Therefore, the Fedora 26 repo must be carrying this package signed by the Fedora 26 PGP key. Otherwise I could not possibly install it, obviously.
For final proof, you can download this package from the Fedora 24, 25, and 26 repos, separately, and verify that they're not binary identical, because each package carries a different PGP signature inside it. But this can be someone else's homework assignment. IIRC, the PGP signature is at the tail end of the rpm file, so I expect the actual binary files to be binary- identical until the last dozen, or so bytes. I don't know if rpm file format supports multiple signatures, and whether a new signature replaces the rpm file's existig one, or adds to it, and I'm too lazy to check right now. If the file sizes are different, it must mean that the F25/F26 sigs were tacked onto this package. If the file sizes are identical, it means that a new signature replaces the existing one.
Either way, removing old Fedora PGP keys should have absolutely zero impact.
Attachment:
pgpD0nLRwAVxe.pgp
Description: PGP signature
_______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
