Red Hat Bugzilla – Bug 114240
rpm --import does not check header of pubkey
Last modified: 2007-11-30 17:10:35 EST
When a public key is imported, rpm does not complain when no header is
present. Here is how to reproduce the bug:
Save http://fedora.redhat.com/about/security/30C9ECF8.txt in a file
and remove the first two lines (the description of the key). Then,
import the key. Although it seems it worked, the key cannot be used
when verifying a package.
I noticed it because initially I imported the keys from a public key
server and I could not verify the packages.
There is an other experience. Remove all public keys from the rpm
database. Then import a key without the first two lines. Then 'rpm -qa
gpg-pubkey*' outputs dozens of errors:
error: rpmdbNextIterator: skipping h#: 1554 Header V3 DSA signature:
BAD, key ID4f2a6fd2
Yup. rpm supports only a subset of OpenPGP, and it's up to the
user to insure that the pubkey is correct and imported correctly.
Yes, if you import a pubkey that associates the wrong fingerprint
with the parameters, then every signature check will fail, and
all headers read from the database will be identified as BAD.