Red Hat Bugzilla – Bug 65417
rpmVerifySignature() never returns RPMSIG_NOTTRUSTED for GPG signatures
Last modified: 2008-05-01 11:38:02 EDT
Description of Problem:
Looking at the RPM sources, in lib/signature.c, verifyGPGSignature() seems to be
able to return RPMSIG_OK, RPMSIG_BAD, and RPMSIG_NOKEY, but not
RPMSIG_NOTTRUSTED. This is unfortunate, especially since verifyPGPSignature()
can return RPMSIG_NOTTRUSTED. This is similarly manifest in the fact that
rpm --checksig makes no adverse comment at all when checking a signature made
by an untrusted GPG key, where its source (lib/rpmchecksig.c) implies that an
untrusted PGP key would have caused verification to fail.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Look at lib/signature.c, and note that verifyGPGSignature() can't return
No occurrence of RPMSIG_NOTTRUSTED in verifyGPGSignature()
Some route by which verifyGPGSignature() can return RPMSIG_NOTTRUSTED.
rpm has no concept of trusted, depends
entirely on the gpg/pgp helpers for
its trust model.
Add -vv, and you will see exactly
what the helper considers to be adequate
feedback for "trusted".
rpm -Kvv says:
D: Expected size: 34323199 = lead(96)+sigs(241)+pad(7)+data(34322855)
D: Actual size: 34323199
MD5 sum OK: 1e0d919c17218fc066e25ee25db552f0
gpg: Signature made Thu 23 May 2002 13:23:22 BST using DSA key ID E4D7035D
gpg: Good signature from "Ben Harris (PWF Linux package signing) <email@example.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg: There is no indication that the signature belongs to the owner.
gpg: Fingerprint: 1146 14EB 8E76 FE40 1001 0D41 7C8C 7D09 E4D7 035D
i.e. GPG returns a big warning, which rpmlib ignores.
With PGP, on the other hand, it looks like rpmlib has code to spot that kind of
warning and return RPMSIG_NOTTRUSTED:
else if (!strncmp("WARNING: The signing key is not trusted", buf, 39))
res = RPMSIG_NOTTRUSTED;
If there really is a policy of ignoring trust problems, then
verifyPGPSignature() should be modified to comply with it.
No there isn't a "policy", the trust model is
opaque to rpm.
FYI, both gpg/pgp helpers have been eliminated
in rpm-4.1 in favor of direct DSA verification
from public keys retrieved from an rpm database.
Created attachment 58324 [details]
This is the patch I've applied locally to make RPM do what I want.