Bug 114240

Summary: rpm --import does not check header of pubkey
Product: [Fedora] Fedora Reporter: Olivier Baudron <olivier.baudron>
Component: rpmAssignee: Jeff Johnson <jbj>
Status: CLOSED DEFERRED QA Contact: Mike McLean <mikem>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhide   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2004-01-25 13:38:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Olivier Baudron 2004-01-25 09:00:10 UTC 
When a public key is imported, rpm does not complain when no header is
present. Here is how to reproduce the bug:

Save http://fedora.redhat.com/about/security/30C9ECF8.txt in a file
and remove the first two lines (the description of the key). Then,
import the key. Although it seems it worked, the key cannot be used
when verifying a package.

I noticed it because initially I imported the keys from a public key
server and I could not verify the packages.

There is an other experience. Remove all public keys from the rpm
database. Then import a key without the first two lines. Then 'rpm -qa
gpg-pubkey*' outputs dozens of errors:

error: rpmdbNextIterator: skipping h#: 1554 Header V3 DSA signature:
BAD, key ID4f2a6fd2
Comment 1 Jeff Johnson 2004-01-25 13:38:42 UTC 
Yup. rpm supports only a subset of OpenPGP, and it's up to the
user to insure that the pubkey is correct and imported correctly.

Yes, if you import a pubkey that associates the wrong fingerprint
with the parameters, then every signature check will fail, and
all headers read from the database will be identified as BAD.