Bug 114240 - rpm --import does not check header of pubkey
rpm --import does not check header of pubkey
Status: CLOSED DEFERRED
Product: Fedora
Classification: Fedora
Component: rpm (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
Mike McLean
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-01-25 04:00 EST by Olivier Baudron
Modified: 2007-11-30 17:10 EST (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-01-25 08:38:42 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Olivier Baudron 2004-01-25 04:00:10 EST
When a public key is imported, rpm does not complain when no header is
present. Here is how to reproduce the bug:

Save http://fedora.redhat.com/about/security/30C9ECF8.txt in a file
and remove the first two lines (the description of the key). Then,
import the key. Although it seems it worked, the key cannot be used
when verifying a package.

I noticed it because initially I imported the keys from a public key
server and I could not verify the packages.

There is an other experience. Remove all public keys from the rpm
database. Then import a key without the first two lines. Then 'rpm -qa
gpg-pubkey*' outputs dozens of errors:

error: rpmdbNextIterator: skipping h#: 1554 Header V3 DSA signature:
BAD, key ID4f2a6fd2
Comment 1 Jeff Johnson 2004-01-25 08:38:42 EST
Yup. rpm supports only a subset of OpenPGP, and it's up to the
user to insure that the pubkey is correct and imported correctly.

Yes, if you import a pubkey that associates the wrong fingerprint
with the parameters, then every signature check will fail, and
all headers read from the database will be identified as BAD.

Note You need to log in before you can comment on or make changes to this bug.