Quantcast

RPM signature verification

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

RPM signature verification

Malte Gell-3
Hi there,

does RPM need to run gpg to verify signatures or is this hardcoded
directly into RPM?

What is the default behaviour of rpm if signature verification fails for
whatever reason, does rpm abort installation of the package?

thanx
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPM signature verification

Marcus Meissner
On Wed, Oct 05, 2016 at 11:03:28PM +0200, Malte Gell wrote:
> Hi there,
>
> does RPM need to run gpg to verify signatures or is this hardcoded
> directly into RPM?

rpm has GPG signature verification built-in.
 
> What is the default behaviour of rpm if signature verification fails for
> whatever reason, does rpm abort installation of the package?

Depends.

By default libzypp (and so zypper/yast2) check the YUM repository for signatures and
follows the SHA256 checksums for the content including the RPMs.

The RPMs checksum is not checked.

New libzypp versions can however check RPM signatures instead of repository
signatures.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPM signature verification

Anton Aylward-2
On 10/06/2016 02:53 AM, Marcus Meissner wrote:

>
> New libzypp versions can however check RPM signatures instead of repository
> signatures.

You say "CAN".

a) when you say 'new', what version does that feature start with

b) is that something you set in the config file, the command line for the CLI,
or a check-box in Yast?

--
The scientific name for an animal that doesn't either run from or fight its
enemies is lunch.
  -- Michael Friedman
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPM signature verification

Marcus Meissner
On Thu, Oct 06, 2016 at 06:56:50AM -0400, Anton Aylward wrote:

> On 10/06/2016 02:53 AM, Marcus Meissner wrote:
>
> >
> > New libzypp versions can however check RPM signatures instead of repository
> > signatures.
>
> You say "CAN".
>
> a) when you say 'new', what version does that feature start with
>
> b) is that something you set in the config file, the command line for the CLI,
> or a check-box in Yast?

In the zypp.conf file, and overwritten in the repository configs.

According to the changelog it was added in libzypp 15.2.0

- zypp.conf: Add config values for gpgcheck, repo_gpgcheck
  and pkg_gpgcheck. The default behavior 'gpgcheck=On' will
  automatically turn on the gpg signature check for packages
  downloaded from repository with unsigned metadata. If the
  repo metadata are signed, a faster comparison via checksums
  is done. By explicitly setting repo_gpgcheck or pkg_gpgcheck
  you can enforce the signature check of repository metadata
  or downloaded packages to be always performed. Those defaults
  can be overwritten per repository. (FATE#314603)
- version 15.2.0 (2)

So appeared with openSUSE Leap 42.1.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPM signature verification

Anton Aylward-2
On 10/06/2016 07:06 AM, Marcus Meissner wrote:
> According to the changelog it was added in libzypp 15.2.0
>
> ....
>
> So appeared with openSUSE Leap 42.1.

Will that be backported to 13.1, 13.2, Tumbleweed, etc etc?


--
For ages, a deadly conflict has been waged between a few brave men and
women of thought and genius upon the one side, and the great ignorant
religious mass on the other. This is the war between Science and Faith.
The few have appealed to reason, to honor, to law, to freedom, to the
known, and to happiness here in this world. The many have appealed to
prejudice, to fear, to miracle, to slavery, to the unknown, and to
misery hereafter. The few have said "Think" The many have said "Believe!"
    --Robert Ingersoll (Gods)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: RPM signature verification

Marcus Meissner
On Thu, Oct 06, 2016 at 07:31:11AM -0400, Anton Aylward wrote:
> On 10/06/2016 07:06 AM, Marcus Meissner wrote:
> > According to the changelog it was added in libzypp 15.2.0
> >
> > ....
> >
> > So appeared with openSUSE Leap 42.1.
>

> Will that be backported to 13.1, 13.2, Tumbleweed, etc etc?

Tumbleweed has a newer libzypp, the older ones will not get it.
(13.2 has 3 months lifetime left, not sure about 13.1)

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Loading...