Bug 4564 - rpm 3.0.2 6.0 don't work with pgp 5
rpm 3.0.2 6.0 don't work with pgp 5
Status: CLOSED CURRENTRELEASE
Product: Red Hat Linux
Classification: Retired
Component: rpm (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Jeff Johnson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 1999-08-17 06:50 EDT by Göran Uddeborg
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 1999-08-18 13:06:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Göran Uddeborg 1999-08-17 06:50:10 EDT
I have pgp 5.0i installed, and I tried to get it to work
with the new rpm 3.0.2 in RedHat 6.0.  I failed, and after
having looked a bit at the code, I can't understand how it
is supposed to ever work.

In lib/signature there is a function rpmDetectPGPVersion,
which seems to be intended to verify the existense of the
correct pgp version, and to return a path to the binary to
execute.

It looks for both "%_pgpbin" and the same with a "v"
appended.  I assume the intention is to find the command
"pgpv" which is part of PGP 5 but not PGP 2.

But then it first looks for "pgpbin", typically
/usr/bin/pgp, and if it finds it, assumes PGP 2 is
installed.  But "pgp" is normally part of a PGP 5
installation too.  (And only gives an error message if
invoked under that name.)

It isn't strictly necessary to have any command "pgp" when
running PGP 5.  So one could have a non-standard setup with
only the commands pgpv, pgps, pgpk.  If one then sets
"%_pgpbin" to /usr/bin/pgp, and rpmDetectPGPVersion will
correctly detect that PGP 5 is installed.

But that doesn't help much, since it then won't be possible
to call the command in the execlp() call later in the same
file.  There the path, without any "v" appended, is used to
find the command to execute.

And even if it worked, it would be a bit strange to require
such a non-standard installation of pgp.

Rather, I'd suggest to check for PGP 5 first, and then PGP
2.  The patch below implements my fix.  It works fine on my
system.  I haven't tried it on a system with PGP 2, but I
can't imagine how it could fail.  (Which of course might be
a sign of my lack of imagination. :-)

By the way, the comment about "preferring" PGP 2 to PGP 5
seems a bit strange to me.  The word "prefer" seems to
indicate a selection, but the task of the function is to
DETECT which version is installed.  It is not to choose
between them, is it?

*** rpm-3.0.2/lib/signature.c~  Thu Apr 29 21:17:20 1999
--- rpm-3.0.2/lib/signature.c   Fri Aug  6 23:00:43 1999
***************
*** 99,109 ****
        }
        sprintf(pgpvbin, "%sv", pgpbin);

!       /* XXX Prefer pgp-2.6.3 over pgp5 */
!       if (stat(pgpbin, &statbuf) == 0)
!         pgp_version = 26;
!       else if (stat(pgpvbin, &statbuf) == 0)
          pgp_version = 50;
        else
          pgp_version = -1;

--- 99,108 ----
        }
        sprintf(pgpvbin, "%sv", pgpbin);

!       if (stat(pgpvbin, &statbuf) == 0)
          pgp_version = 50;
+       else if (stat(pgpbin, &statbuf) == 0)

+         pgp_version = 26;
        else
          pgp_version = -1;
Comment 1 Jeff Johnson 1999-08-17 09:49:59 EDT
If both pgp5 and pgp-2.6.3 are installed, then rpm should
use pgp-2.6.2 since the majority of packages are signed using
that version of pgp and will not verify using pgp5.

The fix will be to remove the silly test (i.e. adding a v to
the value of %_pgpbin) and add a framework much like the support
for gnupg. Howvere, because of license issues with pgp5, this
is not a high priority.If both pgp5 and pgp-2.6.3 are installed, then rpm should
use pgp-2.6.2 since the majority of packages are signed using
that version of pgp and will not verify using pgp5.

The fix will be to remove the silly test (i.e. adding a v to
the value of %_pgpbin) and add a framework much like the support
for gnupg. Howvere, because of license issues with pgp5, this
is not a high priority.
Comment 2 Göran Uddeborg 1999-08-17 14:08:59 EDT
I don't understand the section on "will not verify using pgp5".  PGP
IS backward compatible, and PGP 5 can very well verify a PGP 2-signed
package.  At least the version I have installed!
Comment 3 Jeff Johnson 1999-08-18 13:06:59 EDT
Patch applied. Thanks for prodding me enough to verify that pgp5
indeed verifies pgp2.6.3 signed binaries.

Note You need to log in before you can comment on or make changes to this bug.