auto importing rpm gpg public keys from keyserver

Thu Jun 8 20:00:38 PDT 2006

On Thu, Jun 08, 2006 at 08:59:24PM -0400, Jeff Johnson wrote:
> 
> On Jun 8, 2006, at 8:47 PM, Andrea Arcangeli wrote:
> 
> >Hello,
> >
> >smart is my package manager of choice on top of sl10.1 using the  
> >apt-rpm
> >channels. It's overall working great.
> >
> >I think it's fundamental to have rpm signatures checks enabled. I wish
> >this would be the default (sorry why is this disabled by default?),
> >but I quickly enabled it as first thing with:
> >
> >	smart config --set rpm-check-signatures=true
> >
> >However I want to allow more than the SUSE gpg key, and I wonder if
> >there's a way to automate the importing of new signatures from the
> >pgp.mid.edu keyservers whenever they accour in new packages.
> >
> >Currently when the upgrade command fails I go by hand like this:
> >
> >	gpg --keyserver pgp.mit.edu --recv-keys $keynumber
> >	gpg -a --export $keynumber >/tmp/z
> >	rpm --import /tmp/z
> >
> 
> If configured correctly, rpm-4.4.2 has support for lookup through a  
> hkp server. E.g. you can do
>     rpm --import 0x12345678
> where 0x12345678 is the 32 bit gpg fingerprint.
> 
> Again, if configured correctly, rpm will retrieve the gpg key from a  
> key server when needed.
> What hasn't been done is to automatically add the key to the rpmdb  
> keyring, mostly because

Note that I don't want to automatically add the key to the rpmdb
keyring. Automatically adding all unknown keys to the rpmdb keyring
would provide the exact same security of having the signature check
turned off completely.

I only want to automatically retrieve the key, to show the new unknown
key on the screen including the fingerprint of it so I can compare it
with the one I have in other accounts (either on the console if using
the CLI or with a popup window on the GUI) and to _ask_me_ if this new
key should be added or not. I don't think using rpm is the best way to
achieve it, using gpg sounds better since it is already capable of doing
all I need, rpm isn't and doesn't need to.

> Automatically importing pubkeys, either from packages (e.g. see rpm - 
> q --qf '[%{pubkeys}\n' rpm) or from key servers,
> I patiently await for the "surprise" to wear off before finishing the  
> implementation in rpm.

What do you mean with "surprise"?