114240 – rpm --import does not check header of pubkey

Bug 114240 - rpm --import does not check header of pubkey

Summary: rpm --import does not check header of pubkey

Keywords:
Status:	CLOSED DEFERRED
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	rpm
Sub Component:
Version:	rawhide
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Jeff Johnson
QA Contact:	Mike McLean
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2004-01-25 09:00 UTC by Olivier Baudron
Modified:	2007-11-30 22:10 UTC (History)
CC List:	0 users
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2004-01-25 13:38:42 UTC
Type:	---
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Olivier Baudron 2004-01-25 09:00:10 UTC

When a public key is imported, rpm does not complain when no header is
present. Here is how to reproduce the bug:

Save http://fedora.redhat.com/about/security/30C9ECF8.txt in a file
and remove the first two lines (the description of the key). Then,
import the key. Although it seems it worked, the key cannot be used
when verifying a package.

I noticed it because initially I imported the keys from a public key
server and I could not verify the packages.

There is an other experience. Remove all public keys from the rpm
database. Then import a key without the first two lines. Then 'rpm -qa
gpg-pubkey*' outputs dozens of errors:

error: rpmdbNextIterator: skipping h#: 1554 Header V3 DSA signature:
BAD, key ID4f2a6fd2

Comment 1 Jeff Johnson 2004-01-25 13:38:42 UTC

Yup. rpm supports only a subset of OpenPGP, and it's up to the
user to insure that the pubkey is correct and imported correctly.

Yes, if you import a pubkey that associates the wrong fingerprint
with the parameters, then every signature check will fail, and
all headers read from the database will be identified as BAD.

Note You need to log in before you can comment on or make changes to this bug.