Re: Force RPM to check GPG key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



[root@proxy SPECS]# rpm -qip /root/automake-1.11.1-0.test.noarch.rpm |grep Sign
Signature   : (none)
[root@proxy SPECS]# rpm -K /root/automake-1.11.1-0.test.noarch.rpm
/root/automake-1.11.1-0.test.noarch.rpm: sha1 md5 OK

Best regards,
George Machitidze


On Tue, Apr 17, 2012 at 6:38 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
Even more... -K/--checksig is not checking key at all and it doesn't work with -i or -U.

Best regards,
George Machitidze



On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac@xxxxxxxxx> wrote:
Thanks Greg!

I've added macro file in /etc/rpm and rpm has taken values for vsflags, but still, it has no effect on installation or upgrades or anything, tried 0x00000 and 0xf0000.

Found definitions in here:


[root@srv rpm]# rpm --showrc|grep -i vs
-14: __vsflags  0xf0000
-14: _vsflags_build     %{__vsflags}
-14: _vsflags_erase     0x00000
-14: _vsflags_install   0x00000
-14: _vsflags_query     %{__vsflags}
-14: _vsflags_rebuilddb %{__vsflags}
-14: _vsflags_up2date   %{__vsflags}
-14: _vsflags_verify    %{__vsflags}

No luck :|

Best regards,
George Machitidze



On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift@xxxxxxxxx> wrote:
I figured that would be the case.

JJ just told me that --checksig only gets run separate from --install,
which seemed kinda silly to me until he pointed out that this is
because rpm is configuredby default  to check headers+payload against
signature if possible.

So by default it is supposedly doing this already, it is just an 'if
possible' scenario.  So if you don't have a key to verify against it
just moves forward, would be my understanding.

I did look in `rpm --showrc` for any value that might seem to force
this but was unable to locate one (I didn't look at each value, just
tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
and in there I found vsflags.   The default value is 0xf0000 which
means if set, check header+payload (if possible).  If you look in this
file you can see the options and if you have a better config you can
set it in a macro file over in /etc/rpm.  Would have been nice if the
variable name was a bit more descriptive for the sake of grep but such
is life i guess.

-greg

On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac@xxxxxxxxx> wrote:
> Thanks
>
> I need to have this option by default without adding command line option to
> rpm. yum is checking for GPG key by default in case gpgcheck is not set to
> 0.
> Maybe it's possible through rpmrc, but I couldn't find option for that.
>
> Best regards,
> George Machitidze
>
>
> On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift@xxxxxxxxx> wrote:
>>
>> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac@xxxxxxxxx> wrote:
>> > Hi
>> >
>> > I want to force rpm during the package update or install to check if RPM
>> > package is signed (public key is imported).
>> > Is there a safe way to do this?
>>
>> So you can add -K|--checksig to your installation command if using rpm
>> directly (ie: rpm -ivhK package.rpm)
>>
>> I don't know how one would force that as a system wide configuration
>> option. Setting it as an alias doesn't seem to work because of other
>> non install related commands not liking their options after the -K.
>>
>> With yum you can set a repository to gpgcheck=1 which will force it
>> unless manually disabled.
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list@xxxxxxxxxxxxx
>> http://lists.rpm.org/mailman/listinfo/rpm-list
>
>
>
> _______________________________________________
> Rpm-list mailing list
> Rpm-list@xxxxxxxxxxxxx
> http://lists.rpm.org/mailman/listinfo/rpm-list
>
_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxxxxx
http://lists.rpm.org/mailman/listinfo/rpm-list



_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxxxxx
http://lists.rpm.org/mailman/listinfo/rpm-list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux