I have pgp 5.0i installed, and I tried to get it to work with the new rpm 3.0.2 in RedHat 6.0. I failed, and after having looked a bit at the code, I can't understand how it is supposed to ever work. In lib/signature there is a function rpmDetectPGPVersion, which seems to be intended to verify the existense of the correct pgp version, and to return a path to the binary to execute. It looks for both "%_pgpbin" and the same with a "v" appended. I assume the intention is to find the command "pgpv" which is part of PGP 5 but not PGP 2. But then it first looks for "pgpbin", typically /usr/bin/pgp, and if it finds it, assumes PGP 2 is installed. But "pgp" is normally part of a PGP 5 installation too. (And only gives an error message if invoked under that name.) It isn't strictly necessary to have any command "pgp" when running PGP 5. So one could have a non-standard setup with only the commands pgpv, pgps, pgpk. If one then sets "%_pgpbin" to /usr/bin/pgp, and rpmDetectPGPVersion will correctly detect that PGP 5 is installed. But that doesn't help much, since it then won't be possible to call the command in the execlp() call later in the same file. There the path, without any "v" appended, is used to find the command to execute. And even if it worked, it would be a bit strange to require such a non-standard installation of pgp. Rather, I'd suggest to check for PGP 5 first, and then PGP 2. The patch below implements my fix. It works fine on my system. I haven't tried it on a system with PGP 2, but I can't imagine how it could fail. (Which of course might be a sign of my lack of imagination. :-) By the way, the comment about "preferring" PGP 2 to PGP 5 seems a bit strange to me. The word "prefer" seems to indicate a selection, but the task of the function is to DETECT which version is installed. It is not to choose between them, is it? *** rpm-3.0.2/lib/signature.c~ Thu Apr 29 21:17:20 1999 --- rpm-3.0.2/lib/signature.c Fri Aug 6 23:00:43 1999 *************** *** 99,109 **** } sprintf(pgpvbin, "%sv", pgpbin); ! /* XXX Prefer pgp-2.6.3 over pgp5 */ ! if (stat(pgpbin, &statbuf) == 0) ! pgp_version = 26; ! else if (stat(pgpvbin, &statbuf) == 0) pgp_version = 50; else pgp_version = -1; --- 99,108 ---- } sprintf(pgpvbin, "%sv", pgpbin); ! if (stat(pgpvbin, &statbuf) == 0) pgp_version = 50; + else if (stat(pgpbin, &statbuf) == 0) + pgp_version = 26; else pgp_version = -1;
If both pgp5 and pgp-2.6.3 are installed, then rpm should use pgp-2.6.2 since the majority of packages are signed using that version of pgp and will not verify using pgp5. The fix will be to remove the silly test (i.e. adding a v to the value of %_pgpbin) and add a framework much like the support for gnupg. Howvere, because of license issues with pgp5, this is not a high priority.If both pgp5 and pgp-2.6.3 are installed, then rpm should use pgp-2.6.2 since the majority of packages are signed using that version of pgp and will not verify using pgp5. The fix will be to remove the silly test (i.e. adding a v to the value of %_pgpbin) and add a framework much like the support for gnupg. Howvere, because of license issues with pgp5, this is not a high priority.
I don't understand the section on "will not verify using pgp5". PGP IS backward compatible, and PGP 5 can very well verify a PGP 2-signed package. At least the version I have installed!
Patch applied. Thanks for prodding me enough to verify that pgp5 indeed verifies pgp2.6.3 signed binaries.