auto importing rpm gpg public keys from keyserver

Thu Jun 8 17:59:24 PDT 2006

On Jun 8, 2006, at 8:47 PM, Andrea Arcangeli wrote:

> Hello,
>
> smart is my package manager of choice on top of sl10.1 using the  
> apt-rpm
> channels. It's overall working great.
>
> I think it's fundamental to have rpm signatures checks enabled. I wish
> this would be the default (sorry why is this disabled by default?),
> but I quickly enabled it as first thing with:
>
> 	smart config --set rpm-check-signatures=true
>
> However I want to allow more than the SUSE gpg key, and I wonder if
> there's a way to automate the importing of new signatures from the
> pgp.mid.edu keyservers whenever they accour in new packages.
>
> Currently when the upgrade command fails I go by hand like this:
>
> 	gpg --keyserver pgp.mit.edu --recv-keys $keynumber
> 	gpg -a --export $keynumber >/tmp/z
> 	rpm --import /tmp/z
>

If configured correctly, rpm-4.4.2 has support for lookup through a  
hkp server. E.g. you can do
     rpm --import 0x12345678
where 0x12345678 is the 32 bit gpg fingerprint.

Again, if configured correctly, rpm will retrieve the gpg key from a  
key server when needed.
What hasn't been done is to automatically add the key to the rpmdb  
keyring, mostly because
automatically importing a key is still surprising, and will not work  
if you are installing in a chroot
without a network connection, duh, so most vendors are disabling the  
functionality.

Here's the config I use, put in /etc/rpm/macros:

     %_hkp_keyserver  hkp://sks.keyserver.penguin.de
     %_hkp_keyserver_query   %{_hkp_keyserver}/pks/lookup? 
op=get&search=0x

> and then I restart. I would like this procedure to be automated, of
> course asking me if I accept to import the new key in the rpm database
> or not (so not really completely automated, but easy enough that I can
> only see the package name, the name of the signer and click on "y" and
> return and nothing else). This is almost as friendly as the
> rpm-check-signatures=false mode, but it doesn't lose the full security
> during the updates.
>
> I actually wish something more complicated than the above for the
> future, but this would be a good start.
>
> Should I try to implement this myself or is somebody working on
> something similar?
>

Automatically importing pubkeys, either from packages (e.g. see rpm - 
q --qf '[%{pubkeys}\n' rpm) or from key servers,
I patiently await for the "surprise" to wear off before finishing the  
implementation in rpm.

73 de Jeff