[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: the v4 signatures thing

On Thu, Jan 09, 2003 at 10:07:18PM -0500, Matthew Miller wrote:
> I saw a thread about this a couple of months ago but if there was anything
> after that, I missed it. If I want to sign my own packages with gpg these
> days, I assume thing to do is
>  %__gpg_sign_cmd                 %{__gpg} \
>      gpg --batch --no-verbose --no-armor --passphrase-fd 3 --force-v3-sigs \
>      -u "%{_gpg_name}" -sbo %{__signature_filename} %{__plaintext_filename}
> yeah? Or am I missing something really obvious and doing this the hard way?

Ah, "--force-v3-sigs" looks like it should be added.

> Or has Jeff made this problem obsolete while I wasn't looking? And if
> neither of those, should this go in the official default macros?

The only reason that signing is not implemented directly in rpm is the
security implications of managing private keys. A few more audits on rpm,
and I will attempt.

> Second, if I want to get a signature onto the pub keyring automatically at
> install time, what's the best way to do that? Have anaconda do it? Have a
> package that calls rpm --import in its post script (probably not possible do
> to locking but I haven't checked)? Or rebuild the rpm package itself with
> the signature already there? Or again, something really obvious I'm missing?

Automagically adding pubkeys from packages needs rpm to pay attention
to the trust bits in OpenPGP pubkeys, requiring user interaction to
set the bit. Alternatively, warnings could be generated when package
with pubkey is installed, but that really requires user dialogue too.

You can try "rpm --import" in %post, should work with concurrent access
since rpm-4.1, but won't work at all without concurrent access.

There's a new-fangled %pubkey attribute in rpm-4.2, but that don't do
nothing except stuff the armored pubkey glop into a header. I'm
not at all sure that this is the right approach.

The real problem that needs solving is how to supply pubkey with package
so that it can be used when the package is installed, not afterwards.
ATM I usually just do "rpm --import" before whatever operation that
will use the pubkey.

73 de Jeff

Jeff Johnson	ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []