RPM Community Forums

Mailing List Message of <rpm-devel>

Re: feedback: signature(DF[,DS]) = [PK:]FP

From: Jeff Johnson <n3npq@mac.com>
Date: Sun 30 Dec 2007 - 15:46:25 CET
Message-Id: <AA195F2B-E0BD-4662-A415-1F343C4274DD@mac.com> 

On Dec 30, 2007, at 5:48 AM, Ralf S. Engelschall wrote:

> I've now tested the brand-new signature(DF[,DS]) = [PK:]FP  
> functionality
> that Jeff the last two days busily developed.
>
> In short: great! Jeff, very well done!
>

(blush)
much more funner than rewriting header.c I assure you ;-)

> You have my compliment as you did a phantastic job and certainly  
> made an
> after-Christmas gift to the RPM world with this feature.
>
> I've now tested it this way:
>
> | [...]
> | Source1:      test
> | Source2:      test.sig
> | Source3:      test.asc
> | Source4:      pubkey
> | [...]
> | BuildPreReq:  gnupg(%{SOURCE3}) =  
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30
> | BuildPreReq:  signature(%{SOURCE3}) =  
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30
> | BuildPreReq:  signature(%{SOURCE3}) = %{SOURCE4}: 
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30
> | BuildPreReq:  signature(%{SOURCE1}:%{SOURCE2}) = %{SOURCE4}: 
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30
> | [...]
>
> The "test" is the plaintext file, "test.sig" is the detached
> signature variant, "test.asc" is the cleartext signed variant and
> "pubkey" is the public key.
>
> Except for the "signature(%{SOURCE3}) =
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30" all works just
> fine and as expected. The failing "signature(%{SOURCE3}) =
> 4E23E878D41A0A88EDFCFA5A6E744ACBA9C09E30" I guess is just related to
> this RSA-key-lookup issue you already mentioned, because I've done an
> "rpm --import pubkey" but this seems to be not looked up correctly.  
> Not
> a problem at this point. Really can be fixed when time permits.
>

Yah.

Somethings really messed up with imported RSA keys. I'll
do regressions and find out what I screwed. Perhaps nothing, RSA
key id's are intrinsically twisty.

> But everything else seems to work just fine and really as expected --
> especially if one manipulates the data file, the signature file, the
> pubkey or the fingerprint, etc ;-) And as signature(...) functionality
> is now a fully built-in functionality of RPM I'm really happy...
>

Looking forward, rpmnsProbeSignature() is just complicated mechanism
with insufficient policy to be useful to other than nerds who need a  
life.

Establishing conventions for storage (I'm just talking about  
directory paths)
with VPATH-like lookaside and lazy store-and-forward cache checks/pulls
are what will be needed to make rpm a trusted PKI distribution agent.

73 de Jeff
Received on Sun Dec 30 15:46:47 2007
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.