Bug 227632
Summary: | RFE: better handling of signing subkeys | |||
---|---|---|---|---|
Product: | [Fedora] Fedora | Reporter: | John Guthrie <mathguthrie> | |
Component: | rpm | Assignee: | Packaging Maintenance Team <packaging-team-maint> | |
Status: | CLOSED RAWHIDE | QA Contact: | ||
Severity: | medium | Docs Contact: | ||
Priority: | medium | |||
Version: | rawhide | CC: | herrold, lkardos, quanah, tmraz, tonster | |
Target Milestone: | --- | Keywords: | FutureFeature, Reopened | |
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | Doc Type: | Enhancement | ||
Doc Text: | Story Points: | --- | ||
Clone Of: | ||||
: | 1638955 (view as bug list) | Environment: | ||
Last Closed: | 2015-08-28 11:46:39 UTC | Type: | --- | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: | ||||
Bug Depends On: | ||||
Bug Blocks: | 1638955 |
Description
John Guthrie
2007-02-07 06:51:36 UTC
There are 2 elements needed to support signining subkeys: 1) adding the signining subkey fingerprint to the Pubkeys index so that the key is found. 2) Verifying the signature that binds the subkey to the primary key. If you can export the signing subkey as an armored pubkey certificate, then its likely that rpm --import and signature verification will just work. Whether that is a wise or proper certificate is a whole different matter. User pnasrat's account has been closed Reassigning to owner after bugzilla made a mess, sorry about the noise... Fedora apologizes that these issues have not been resolved yet. We're sorry it's taken so long for your bug to be properly triaged and acted on. We appreciate the time you took to report this issue and want to make sure no important bugs slip through the cracks. If you're currently running a version of Fedora Core between 1 and 6, please note that Fedora no longer maintains these releases. We strongly encourage you to upgrade to a current Fedora release. In order to refocus our efforts as a project we are flagging all of the open bugs for releases which are no longer maintained and closing them. http://fedoraproject.org/wiki/LifeCycle/EOL If this bug is still open against Fedora Core 1 through 6, thirty days from now, it will be closed 'WONTFIX'. If you can reporduce this bug in the latest Fedora version, please change to the respective version. If you are unable to do this, please add a comment to this bug requesting the change. Thanks for your help, and we apologize again that we haven't handled these issues to this point. The process we are following is outlined here: http://fedoraproject.org/wiki/BugZappers/F9CleanUp We will be following the process here: http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this doesn't happen again. And if you'd like to join the bug triage team to help make things better, check out http://fedoraproject.org/wiki/BugZappers This bug is open for a Fedora version that is no longer maintained and will not be fixed by Fedora. Therefore we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen thus bug against that version. Thank you for reporting this bug and we are sorry it could not be fixed. Reopening as this is a feature that is needed for supporting offline master keys. The master keys should not be used for anything else than subkey and peer key signatures and revocations. Fixed upstream as a173d781a631a92524ce5be364c679ba19b3e321 Rpm always imported whole gpg keys including subkeys because rpm stores whole unparsed key data (key, subkeys, signatures of keys...) in gpg-pubkey... packages. These data are parsed during loading keys from db into rpm keyring in the beginning of rpm transaction but previously only main keys was extracted from these data and they were inserted into rpm keyring. Now also all subkeys are parsed and inserted into keyring. That means now you can have rpm package signed with arbitrary subkey and rpm is able to verify the sign of this package. This change is in rpm-4.12.90 (a.k.a. rpm-4.13.0-alpha) which is in fedora rawhide. |