try: In [3]: hex(rpm.VERIFY_SIGNATURE) Out[3]: '0x100000' ? But honestly At this point we are further out of my depth than when we started :) On Tue, Apr 17, 2012 at 09:41, George Machitidze <giomac@xxxxxxxxx> wrote: > [root@proxy SPECS]# rpm -qip /root/automake-1.11.1-0.test.noarch.rpm |grep > Sign > Signature : (none) > [root@proxy SPECS]# rpm -K /root/automake-1.11.1-0.test.noarch.rpm > /root/automake-1.11.1-0.test.noarch.rpm: sha1 md5 OK > > Best regards, > George Machitidze > > > > On Tue, Apr 17, 2012 at 6:38 PM, George Machitidze <giomac@xxxxxxxxx> wrote: >> >> Even more... -K/--checksig is not checking key at all and it doesn't work >> with -i or -U. >> >> Best regards, >> George Machitidze >> >> >> >> On Tue, Apr 17, 2012 at 6:05 PM, George Machitidze <giomac@xxxxxxxxx> >> wrote: >>> >>> Thanks Greg! >>> >>> I've added macro file in /etc/rpm and rpm has taken values for vsflags, >>> but still, it has no effect on installation or upgrades or anything, tried >>> 0x00000 and 0xf0000. >>> >>> Found definitions in here: >>> >>> http://rpm5.org/community/rpm-users/0463.html >>> >>> [root@srv rpm]# rpm --showrc|grep -i vs >>> -14: __vsflags 0xf0000 >>> -14: _vsflags_build %{__vsflags} >>> -14: _vsflags_erase 0x00000 >>> -14: _vsflags_install 0x00000 >>> -14: _vsflags_query %{__vsflags} >>> -14: _vsflags_rebuilddb %{__vsflags} >>> -14: _vsflags_up2date %{__vsflags} >>> -14: _vsflags_verify %{__vsflags} >>> >>> No luck :| >>> >>> Best regards, >>> George Machitidze >>> >>> >>> >>> On Tue, Apr 17, 2012 at 5:38 PM, Greg Swift <gregswift@xxxxxxxxx> wrote: >>>> >>>> I figured that would be the case. >>>> >>>> JJ just told me that --checksig only gets run separate from --install, >>>> which seemed kinda silly to me until he pointed out that this is >>>> because rpm is configuredby default to check headers+payload against >>>> signature if possible. >>>> >>>> So by default it is supposedly doing this already, it is just an 'if >>>> possible' scenario. So if you don't have a key to verify against it >>>> just moves forward, would be my understanding. >>>> >>>> I did look in `rpm --showrc` for any value that might seem to force >>>> this but was unable to locate one (I didn't look at each value, just >>>> tried several greps). JJ suggested i dig through /usrlib/rpm/macros >>>> and in there I found vsflags. The default value is 0xf0000 which >>>> means if set, check header+payload (if possible). If you look in this >>>> file you can see the options and if you have a better config you can >>>> set it in a macro file over in /etc/rpm. Would have been nice if the >>>> variable name was a bit more descriptive for the sake of grep but such >>>> is life i guess. >>>> >>>> -greg >>>> >>>> On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac@xxxxxxxxx> >>>> wrote: >>>> > Thanks >>>> > >>>> > I need to have this option by default without adding command line >>>> > option to >>>> > rpm. yum is checking for GPG key by default in case gpgcheck is not >>>> > set to >>>> > 0. >>>> > Maybe it's possible through rpmrc, but I couldn't find option for >>>> > that. >>>> > >>>> > Best regards, >>>> > George Machitidze >>>> > >>>> > >>>> > On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift@xxxxxxxxx> >>>> > wrote: >>>> >> >>>> >> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac@xxxxxxxxx> >>>> >> wrote: >>>> >> > Hi >>>> >> > >>>> >> > I want to force rpm during the package update or install to check >>>> >> > if RPM >>>> >> > package is signed (public key is imported). >>>> >> > Is there a safe way to do this? >>>> >> >>>> >> So you can add -K|--checksig to your installation command if using >>>> >> rpm >>>> >> directly (ie: rpm -ivhK package.rpm) >>>> >> >>>> >> I don't know how one would force that as a system wide configuration >>>> >> option. Setting it as an alias doesn't seem to work because of other >>>> >> non install related commands not liking their options after the -K. >>>> >> >>>> >> With yum you can set a repository to gpgcheck=1 which will force it >>>> >> unless manually disabled. >>>> >> _______________________________________________ >>>> >> Rpm-list mailing list >>>> >> Rpm-list@xxxxxxxxxxxxx >>>> >> http://lists.rpm.org/mailman/listinfo/rpm-list >>>> > >>>> > >>>> > >>>> > _______________________________________________ >>>> > Rpm-list mailing list >>>> > Rpm-list@xxxxxxxxxxxxx >>>> > http://lists.rpm.org/mailman/listinfo/rpm-list >>>> > >>>> _______________________________________________ >>>> Rpm-list mailing list >>>> Rpm-list@xxxxxxxxxxxxx >>>> http://lists.rpm.org/mailman/listinfo/rpm-list >>> >>> >> > > > _______________________________________________ > Rpm-list mailing list > Rpm-list@xxxxxxxxxxxxx > http://lists.rpm.org/mailman/listinfo/rpm-list > _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
