On Thu, Mar 11, 2004 at 11:54:25AM -0800, Aaron Hanson wrote: > > Something else that makes me curious; RPM 4.2 is apparently capable of > signing a package with a 2048-bit RSA key, but not verifying the same; > > [root@localhost root]# rpm -K <package> > <package>: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#3c494ff0) > > I'm using gpg to generate these keys. Do I misunderstand the gpg-rpm > interaction? rpm uses beecrypt, not gpg, and supports only a subset of RFC-2440 (aka OpenPGP). Specific limitations of note include: a) V3 signatures. b) few, possibly none, additional signings. c) DSA/SHA1 and RSA/MD5 only. d) no concept of "trust" bit. There may well be other limits, like 2048-bit RSA keys. Exporting fancy-pants and complicated OpenPGP pubkeys is known to break what is implemented in rpm. Personally, I'd just generate a V3 DSA/SHA1 key pair and use that for package signing. Anything else is asking for trouble. 73 de Jeff -- Jeff Johnson ARS N3NPQ jbj@xxxxxxxxxx (jbj@xxxxxxx) Chapel Hill, NC _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
