On Nov 29, 2006, at 3:26 PM, Douglas Hubler wrote:
I cannot get rpm --addsign to work using a gpg subkey. I added a
key following
these instructions to my gpg key store:
http://ftp.debian.org/doc/gnupg/faq.html.gz#q4.14
And set this in my .rpmmacros
%_signature gpg
%_gpg_name 3455DDBA
%_gpg_path /home/dhubler/gpg-auto
Where 3455DDBA is the id of my subkey, not my public key
And when I run
rpm --checksig my-package.rpm
I keep getting
... (GPG) NOT OK (MISSING KEYS: GPG#3455ddba)
I've exported my public key and imported it to rpm,
gpg --homedir . --armor --export engineering@xxxxxxxxxxx > \
RPM-PGP-KEY-example.asc
sudo rpm --import RPM-PGP-KEY-example.asc
Everything works find if I use the regular private/public key pair.
I discovered a macro by running "rpm --showrc" and experiemented
with defining
%__gpg_sign_cmd %{__gpg} --batch --no-verbose --no-armor --
passphrase-fd 3
--no-secmem-warning --default-key "%{_gpg_name}" -sbo %
{__signature_filename}
%{__plaintext_filename}
Where I replaced the system default fragement
"-u %{_gpg_name}"
with
"--default-key "%{_gpg_name}"
but still no luck.
There are a lot of steps and I have gotten many of them wrong the
first time at
various stages so even if you do not have advice for me, if anyone
has ever got
this working, I'd appreciate an email saying you got it working
would be
helpful, thanks.
Verification with sub-keys is not implemented in rpm.
Your choices are
Generate a signing key w/o sub-keys.
or
Use /usr/lib/rpm/tgpg (which extracts the necessary plaintext and
verifies signatures usng gpg) to verify signatures instead.
FWIW, I have most of a sub-key verification implementation done, but
that
still won't solve your problem, as it will be years before that
implementation
is widely deployed no matter what.
73 de Jeff
_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/rpm-list
