> On Sep 10, 2016, at 2:32 PM, Tomasz Pala <[email protected]> wrote:
>
> On Sat, Sep 10, 2016 at 09:46:17 -0400, Jeffrey Johnson wrote:
>
>>>> is not enough/complete. And I've just found this (some 'triple negation'
>>>> issues), as recently noted in
>>>> http://rpm5.org/community/rpm-devel/5655.html
>>>>
>>>> Jeff, this seems to BE the case - verification is reverted only for
>>>> --query mode, --verify mode works as expected.
> [...]
>> What was the fix?
>>
>> AFAIK, the problem was concatenating both an armored RSA and a DSA pubkey in
>> the same file.
>>
>> Separate files (or separate "rpm ???import 0x?????? by keyid using hkp://)
>> are ???fixes???.
>
> The patch from the rpm-devel maillist above fixed --nosignature working
> the opposite way as expected, i.e. veryfying signature with
> --nosignature option given and NOT veryfying it by default in --query
> mode. And it does not break proper behaviour in --verify mode.
>
Thanks for the pointer.
Yes, the behavior is (likely, not personally verified, just from memory)
reversed.
I’f still claim that reversing the sense of the tests isn’t the right patch: the
root cause is a change in the default setting of the bit(s) that control
signature checking.
The better patch (headed toward elimination of —no signature disablers)
is to wrap the tests on the —query path with
#if defined(SUPPORT_NOSIGNATURES)
…
#endif
and then rip out the —nosignature option entirely.
Feel free to patch rpm to do whatever you wish when I rip out
—nosignature/—nodigest
disablers. KISS determinism (if that can be applied to *.rpm signature
verification) is
far easier to maintain/support.
73 de Jeff
> --
> Tomasz Pala <[email protected]>
> _______________________________________________
> pld-devel-en mailing list
> [email protected]
> http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
_______________________________________________
pld-devel-en mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
