Description of Problem: Looking at the RPM sources, in lib/signature.c, verifyGPGSignature() seems to be able to return RPMSIG_OK, RPMSIG_BAD, and RPMSIG_NOKEY, but not RPMSIG_NOTTRUSTED. This is unfortunate, especially since verifyPGPSignature() can return RPMSIG_NOTTRUSTED. This is similarly manifest in the fact that rpm --checksig makes no adverse comment at all when checking a signature made by an untrusted GPG key, where its source (lib/rpmchecksig.c) implies that an untrusted PGP key would have caused verification to fail. Version-Release number of selected component (if applicable): 4.0.4-7x.18 How Reproducible: Inspection Steps to Reproduce: 1. Look at lib/signature.c, and note that verifyGPGSignature() can't return RPMSIG_NOTTRUSTED. Actual Results: No occurrence of RPMSIG_NOTTRUSTED in verifyGPGSignature() Expected Results: Some route by which verifyGPGSignature() can return RPMSIG_NOTTRUSTED. Additional Information:
rpm has no concept of trusted, depends entirely on the gpg/pgp helpers for its trust model. Add -vv, and you will see exactly what the helper considers to be adequate feedback for "trusted".
rpm -Kvv says: D: Expected size: 34323199 = lead(96)+sigs(241)+pad(7)+data(34322855) D: Actual size: 34323199 kernel-2.4.18-3.0.src.rpm: MD5 sum OK: 1e0d919c17218fc066e25ee25db552f0 gpg: Signature made Thu 23 May 2002 13:23:22 BST using DSA key ID E4D7035D gpg: Good signature from "Ben Harris (PWF Linux package signing) <bjh21.uk>" gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. gpg: Fingerprint: 1146 14EB 8E76 FE40 1001 0D41 7C8C 7D09 E4D7 035D i.e. GPG returns a big warning, which rpmlib ignores. With PGP, on the other hand, it looks like rpmlib has code to spot that kind of warning and return RPMSIG_NOTTRUSTED: else if (!strncmp("WARNING: The signing key is not trusted", buf, 39)) res = RPMSIG_NOTTRUSTED; If there really is a policy of ignoring trust problems, then verifyPGPSignature() should be modified to comply with it.
No there isn't a "policy", the trust model is opaque to rpm. FYI, both gpg/pgp helpers have been eliminated in rpm-4.1 in favor of direct DSA verification from public keys retrieved from an rpm database.
Created attachment 58324 [details] This is the patch I've applied locally to make RPM do what I want.