RPM Community Forums

Mailing List Message of <rpm-users>

Signing key matters

From: R P Herrold <herrold@owlriver.com>
Date: Thu 21 Dec 2017 - 19:42:56 CET
Message-ID: <alpine.LRH.2.03.1712211317160.7037@bjyevire.pbz>
On Wed, 20 Dec 2017, David wrote:

> I could not tell if my first message to this forum posted

It is well and publicly documented that gmail filters out 
one's own posts ... breaks expectations, but there you are


I do not have a copy of Rosa installed presently, and so do 
not know which (of several possible) package signature schemes 
they use

The 'signing keys' allowed to make updates may be enumerated 
thus:

[herrold@centos-7 bin]$ rpm -qa gpg\*
gpg-pubkey-352c64e5-52ae6884
gpg-pubkey-23b66a9d-40912de4
gpg-pubkey-f4a80eb5-53a7ff4b
gpg-pubkey-5044912e-4b7489b1
gpg-pubkey-baadae52-49beffa4
gpgme-1.3.2-5.el7.x86_64
[herrold@centos-7 bin]$

and as to more detail as to WHO owns a given key:

[herrold@centos-7 bin]$ rpm -qa gpg\* \
	--qf '%{Packager} %{version} %{release} \n' 
Fedora EPEL (7) <epel@fedoraproject.org> 352c64e5 52ae6884 
CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org> f4a80eb5 53a7ff4b 
Dropbox Automatic Signing Key <linux@dropbox.com> 5044912e 4b7489b1 
elrepo.org (RPM Signing Key for elrepo.org) <secure@elrepo.org> baadae52 49beffa4 
CentOS BuildSystem <http://bugs.centos.org> 1.3.2 5.el7 
[herrold@centos-7 bin]$ 


The particular one on your 'rpm' package may be viewed, by 
walking through the possible signing schemes and looking for a 
match

[herrold@centos-7 bin]$ rpm --querytags | grep -i sig
HEADERSIGNATURES
LONGSIGSIZE
SIGGPG
SIGMD5
SIGPGP
SIGSIZE

so:

[herrold@centos-7 bin]$ rpm -q rpm --qf '%{SIGGPG}\n'
(none)
[herrold@centos-7 bin]$ rpm -q rpm --qf '%{SIGMD5}\n'
6a8bcea4f1d4e15ef0920aa0187a756a

[herrold@centos-7 bin]$ rpm -q rpm \
	--qf '%{name} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig} \n'
rpm RSA/SHA256, Thu 10 Aug 2017 03:41:33 PM EDT, Key ID \
	24c6a8a7f4a80eb5 (none)

Ignore the '(none)' as there are at least two ways to sign a 
package, and only one is required


Using this information, we can get the last 8 characters of a 
signing key (its so-called fingerprint), and match that up 
against a key --- I use a couple of 'shell one liners' 
which are not all that uncommon in building automation

[herrold@centos-7 bin]$ rpm -q rpm \
	--qf '%{name} %{SIGPGP:pgpsig} %{SIGGPG:pgpsig} \n' | \
	sed -e "s#(none)##g" | tr -d " " | rev | cut -c1-8 | rev
f4a80eb5

[herrold@centos-7 bin]$ rpm -qa gpg\* \
	--qf '%{Packager} %{version} %{release} \n' | grep f4a80eb5
CentOS-7 Key (CentOS 7 Official Signing Key) \
	<security@centos.org> f4a80eb5 53a7ff4b 

[herrold@centos-7 bin]$

Hope that permits you to answer your question

-- Russ herrold
Received on Thu Dec 21 20:01:21 2017
Driven by Jeff Johnson and the RPM project team.
Hosted by OpenPKG and Ralf S. Engelschall.
Powered by FreeBSD and OpenPKG.