Bug 60611

From Bugzilla Helper:
User-Agent: Mozilla/4.78 [en] (X11; U; Linux 2.4.9-13 i686)

Description of problem:
The rpm tool will under certain conditions result in "gpg OK" while the keys
used for the signatures may not have been explicitly flagged by the user as to
be trusted.


Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Install the rpms for gnupg and rpm (emtpy gnupg keyring)
2. Specify a keyserver in ~/.gnupg/options
3. Verify an rpm with rpm --checksig

	

Actual Results:  If the public key of the signature on the rpm file is present
on the keyserver, then the public key is automatically retrieved from the
keyserver, used for verifying the signature on the rpm file, and the result of
rpm --checksig says "gpg OK" while the user has never explicitly flagged the
public key as to be trusted.


Expected Results:  I expected a "gpg NOT OK". I would expect rpm to use the
trustdb of gnupg. I have the impression that this is not the case. The result of
"rpm --checksig" should somehow warn the user that the key was automatically
imported but that the key is not in the trustdb, so that the verification of the
signature should not be blindly trusted.
	

Additional info:

I would suggest the following modifications as solution:
First, the option no-auto-key-retrieve should by default be present in
~/.gnupg/options and a warning should be included in the remarks near the
keyserver option in the same file.
Second, I would make rpm use the trustdb of gnupg, or somehow make gnupg skip
the automatically retrieving of missing keys.

I'd very much appreciate some feedback on this bug report, since I don't feel
quite completely sure whether I'm correctly using gnupg and rpm. Maybe it's not
a bug at all. If so, my sincere apologies.