[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

RE: signing RPMs without a passphrase?

From: "Jay Yarbrough" <jyarbrough univaud com>
To: "RPM Package Manager" <rpm-list redhat com>
Subject: RE: signing RPMs without a passphrase?
Date: Thu, 9 Oct 2008 11:19:29 -0500

My personal preference is to batch sign them after creation.  However,
it should also be possible to use 'expect' to pass in the passphrase
during the build process.  

-----Original Message-----
From: rpm-list-bounces redhat com [mailto:rpm-list-bounces redhat com]
On Behalf Of Lev Lvovsky
Sent: Thursday, October 09, 2008 11:01 AM
To: RPM Package Manager
Subject: Re: signing RPMs without a passphrase?

thank you *Jeff*!

The first response in the link provided just seemed a little off-base  
to me.  There's nothing intrinsically more secure about me typing in  
some passphrase vs. an automated procedure just skipping the step -  
AFAIK, GPG is used to provide file signature verification (along with  
mdt5 and whatever other hash algo. is employed).  But it's also used  
to verify the entity that the RPM came from - an identity which the  
installer chooses to trust, passphrase notwithstanding.  Am I missing  
something  there?

I'll check out keyutils - thank you very much for your help Jeff!

-lev

On Oct 7, 2008, at 5:16 PM, Jeff Johnson wrote:

> Well 2004 was a long time ago. Times have changed too ...
>
> FWIW, rpm-5 uses keyutils to store passphrases.
>
> Which means that its possible to us keyutils to manage
> a persistent session pass phrase, loaded before rpm is invoked,
> and the passphrase will be passed to gpg for signinging packages.
>
> But you can attempt signing without a pass phrase if you want too.
>
> 73 de Jeff
>
> On Oct 7, 2008, at 7:26 PM, Aaron Hanson wrote:
>
>> https://www.redhat.com/archives/rpm-list/2004-March/msg00109.html
>>
>>> -----Original Message-----
>>> From: rpm-list-bounces redhat com
[mailto:rpm-list-bounces redhat com 
>>> ]
>>> On Behalf Of Lev Lvovsky
>>> Sent: Tuesday, October 07, 2008 4:18 PM
>>> To: rpm-list redhat com
>>> Subject: signing RPMs without a passphrase?
>>>
>>> Is it possible to sign an RPM without being asked the passphrase for
>>> the signing key?  It hampers automated RPM creation to be asked for
>>> the passphrase when building them.  Otherwise, is the only other
>>> option just batch signing the RPMs after they've been created?
>>>
>>> thanks,
>>> -lev
>>>
>>> _______________________________________________
>>> Rpm-list mailing list
>>> Rpm-list redhat com
>>> https://www.redhat.com/mailman/listinfo/rpm-list
>>
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list redhat com
>> https://www.redhat.com/mailman/listinfo/rpm-list
>
> _______________________________________________
> Rpm-list mailing list
> Rpm-list redhat com
> https://www.redhat.com/mailman/listinfo/rpm-list

_______________________________________________
Rpm-list mailing list
Rpm-list redhat com
https://www.redhat.com/mailman/listinfo/rpm-list

Follow-Ups:
- Re: signing RPMs without a passphrase?
  - From: Lev Lvovsky
- RE: signing RPMs without a passphrase?
  - From: Wichmann, Mats D

References:
- signing RPMs without a passphrase?
  - From: Lev Lvovsky
- RE: signing RPMs without a passphrase?
  - From: Aaron Hanson
- Re: signing RPMs without a passphrase?
  - From: Jeff Johnson
- Re: signing RPMs without a passphrase?
  - From: Lev Lvovsky

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]