auto importing rpm gpg public keys from keyserver

Jeff Johnson n3npq at mac.com
Thu Jun 15 03:55:03 PDT 2006 

On Jun 15, 2006, at 1:16 AM, Andrea Arcangeli wrote:

>
> I did a first prototype working implementation (I doubt it will last
> more than a few days, but it already works).
>

Um, ick. Let's kill this code today please. ;-)

> Obvious problems:
>
> 1) I couldn't find a way to extract the keyid from the rpm using the
>    rpmmodule.c so I didn't wait too long before taking the simple way:
>    in this model the key management is in a very slow path so it's  
> not a
>    problem in practice.

The keyid can be extracted using a --queryformat modifier.

The relevant queryformat syntax is
     "%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{% 
{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{% 
{SIGPGP:pgpsig}}:{(none)}|}|}|}|"

The --queryformat extraction is bound through hdr.sprintf() in python.

You can find example usage in yum if not in smart already.

This is a series of nested tests for existence of 4 possible signatures.

There are two types of plaintext: header-only and header+payload.

There were different tags used for pgp (essentially RSA) and gpg  
(essentially DSA) historically.

> 2) I don't know how to open popup windows in the GUI, so it probably
>    only works with the console, GUI is *untested*.

No GUI expertise here either.

> 3) I couldn't find a way to ask the "this session only" without
>    disabling signature checking as a whole (and if I did I would  
> had to
>    check the signature beforehand instead of catching the failure  
> in the
>    fast path, so the whole code would have to be rewritten doing the
>    check beforehand).
>

The flags to disable signature checking are per-transaction, the  
method is ts.setVSFlags.
All the flags are disablers, so
     ts.setVSFlags(-1)
disables all signature and digests checking by rpm.

Note carefully the chicken <-> egg problem of reading the header in  
order to
identify the pubkey you wish to import.

Some security problems, like a buffer overflow reading a package  
header leading to a setuid shell, will occur before you are able to  
import
the pubkey. In those cases, your scheme using gpg to import pubkeys  
is no security at all.

hth

73 de Jeff

More information about the Smart mailing list