auto importing rpm gpg public keys from keyserver

Fri Jun 9 02:14:34 PDT 2006

On Jun 8, 2006, at 11:00 PM, Andrea Arcangeli wrote:

> On Thu, Jun 08, 2006 at 08:59:24PM -0400, Jeff Johnson wrote:
>>
>> On Jun 8, 2006, at 8:47 PM, Andrea Arcangeli wrote:
>>
>>> Hello,
>>>
>>> smart is my package manager of choice on top of sl10.1 using the
>>> apt-rpm
>>> channels. It's overall working great.
>>>
>>> I think it's fundamental to have rpm signatures checks enabled. I  
>>> wish
>>> this would be the default (sorry why is this disabled by default?),
>>> but I quickly enabled it as first thing with:
>>>
>>> 	smart config --set rpm-check-signatures=true
>>>
>>> However I want to allow more than the SUSE gpg key, and I wonder if
>>> there's a way to automate the importing of new signatures from the
>>> pgp.mid.edu keyservers whenever they accour in new packages.
>>>
>>> Currently when the upgrade command fails I go by hand like this:
>>>
>>> 	gpg --keyserver pgp.mit.edu --recv-keys $keynumber
>>> 	gpg -a --export $keynumber >/tmp/z
>>> 	rpm --import /tmp/z
>>>
>>
>> If configured correctly, rpm-4.4.2 has support for lookup through a
>> hkp server. E.g. you can do
>>     rpm --import 0x12345678
>> where 0x12345678 is the 32 bit gpg fingerprint.
>>
>> Again, if configured correctly, rpm will retrieve the gpg key from a
>> key server when needed.
>> What hasn't been done is to automatically add the key to the rpmdb
>> keyring, mostly because
>
> Note that I don't want to automatically add the key to the rpmdb
> keyring. Automatically adding all unknown keys to the rpmdb keyring
> would provide the exact same security of having the signature check
> turned off completely.
>

Then don't automatically add the public key to an rpmdb. There's  
nothing in
typing

    rpm --import 0x12345678

that is automatic. Nor is there any implied trust (or loss of  
security) if rpmlib
fetches a public key for a stronger test of package integrity than a  
digest.

> I only want to automatically retrieve the key, to show the new unknown
> key on the screen including the fingerprint of it so I can compare it
> with the one I have in other accounts (either on the console if using
> the CLI or with a popup window on the GUI) and to _ask_me_ if this new
> key should be added or not. I don't think using rpm is the best way to
> achieve it, using gpg sounds better since it is already capable of  
> doing
> all I need, rpm isn't and doesn't need to.
>

rpm -qip *.rpm displays signature information, including the signer,  
date signed, and fingerprint.

No matter what, rpmlib's keyring is used to verify signatures when  
reading
packages using rpmlib.

If you don't think rpm is "the best way" to verify signatures, then,  
by all means,
disable the mechanism in rpm, and verify the package signatures  
however you wish.
The script /usr/lib/rpm/tgpg will get you (or smart) started on that  
path.

>> Automatically importing pubkeys, either from packages (e.g. see rpm -
>> q --qf '[%{pubkeys}\n' rpm) or from key servers,
>> I patiently await for the "surprise" to wear off before finishing the
>> implementation in rpm.
>
> What do you mean with "surprise"?

The ability to retrieve a public key using a hkp server within  
rpmlib. Everyone (and every application)
wants something different, you (and smart) included. In fact, package  
signatures are more about vendor
"branding" of otherwise identical OSS than anything related to  
security imho. But I digress ...

73 de Jeff