On Dec 28, 2007, at 9:48 AM, Ralf S. Engelschall wrote:

> RPM AFAIK contains PGP signature verification code which seems to
> be able to even handle the PEM/Base64 variants. So, I'm wondering
> whether it would be even possible to implement the "gnupg(<path>) [=
> <fingerprint>]" *WITHOUT* an external gpg(1).
>
> The background for this is that especially with the latest GnuPG 2.x
> the dependencies to install gpg(1) increased dramatically. This means
> that in a self-contained environment like OpenPKG one would be able to
> check "gnupg(...)" dependencies only after one has built about a dozen
> packages -- this renders "gnupg(...)" mostly useless for us in  
> practice.
>
> But all which I'm seeking for is to be able quickly (no external  
> program
> forks) and self-contained (no external dependencies) to check the PGP
> signature on a file. So, as RPM already ships with BeeCrypt based PGP
> verification functionalit, would be *EASILY* possible to use this
> already existing functionality?

Yep. The gnupg(...) probe dependency was proof-of-concept for  
stronger than digest
fetched content verification. Invoking gpg was the easy hack for an  
idea that
noone "gets" yet.

Most of the existing code in rpm is heavily tricked up to handle  
header and payload
items used in *.rpm without temporary files or external helpers.

Verifying the signature on a single file is rather easy, starts with  
getting the digest
on the plaintext, parsing the signature, etc etc.

Do you want such functionality under gnupg() in rpm-5.0? Signature
verification is relatively risk free, the mathematics insures that you
either win or lose unambiguously, no memory leaks or other  
implementation
details to fuss about.

OTOH, it is 12/28/2007 ;-)

73 de Jeff