Re: [Rpm-maint] [rpm-software-management/rpm] Simplify pubkey header building code (#1625)
> rpmPubkeyDig() is a public API function, we can't just drop it. How many (important) API dependencies we have? What if I do the corresponding patch for libdnf as well? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1625#issuecomment-816436459___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Simplify pubkey header building code (#1625)
> We can’t drop it, but we can certainly stop using it internally :) OK let's reduce the change to internal scope. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1625#issuecomment-815999890___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Simplify pubkey header building code (#1625)
@dmantipov pushed 1 commit. bbe2b67d292b7d274487af1a911b5cf3ac511751 Simplify pubkey header building code -- You are receiving this because you are subscribed to this thread. View it on GitHub: https://github.com/rpm-software-management/rpm/pull/1625/files/0cd7dd1d9cf59900bd034d9f386524c56a0c2bf8..bbe2b67d292b7d274487af1a911b5cf3ac511751 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Simplify pubkey header building code (#1625)
At makePubkeyHeader(), the key has PGP data collected already, so rpmPubkeyDig() is redundant. And, since the former is the only user of the latter, which, in turn, mostly duplicates the functionaliry of rpmPubkeyNew(), rpmPubkeyDig() may be dropped. You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1625 -- Commit Summary -- * Simplify pubkey header building code -- File Changes -- M lib/rpmts.c (9) M rpmio/rpmkeyring.c (29) M rpmio/rpmkeyring.h (7) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1625.patch https://github.com/rpm-software-management/rpm/pull/1625.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1625 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Fix memory leak (#1619)
You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/1619 -- Commit Summary -- * Fix memory leak -- File Changes -- M python/rpmkeyring-py.c (10) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/1619.patch https://github.com/rpm-software-management/rpm/pull/1619.diff -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/1619 ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
> this still needs a cryptographic signature check Is it enough to get zero from `pgpVerifySignature()`? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-814171434___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
I'll investigate how to dig for fingerprints; here is the version with key IDs. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-811769055___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
Well, it seems it would be helpful to have some advice here. In my local setup, packets analysis code detects the following, in that order: ` PGPTAG_PUBLIC_KEY; [1] public key id saved PGPTAG_SIGNATURE PGPSUBTYPE_SIG_CREATE_TIME PGPSUBTYPE_REVOKE_REASON ; [2] revoke reason PGPSUBTYPE_ISSUER_KEYID; [3] key id match saved at [1] PGPTAG_USER_ID PGPTAG_SIGNATURE PGPSUBTYPE_SIG_CREATE_TIME PGPSUBTYPE_KEY_FLAGS PGPSUBTYPE_KEY_EXPIRE_TIME PGPSUBTYPE_PREFER_SYMKEY PGPSUBTYPE_PREFER_HASH PGPSUBTYPE_PREFER_COMPRESS PGPSUBTYPE_FEATURES PGPSUBTYPE_KEYSERVER_PREFERS PGPSUBTYPE_ISSUER_KEYID; key id match saved at [1] PGPTAG_USER_ID PGPTAG_SIGNATURE PGPSUBTYPE_SIG_CREATE_TIME PGPSUBTYPE_KEY_FLAGS PGPSUBTYPE_KEY_EXPIRE_TIME PGPSUBTYPE_PREFER_SYMKEY PGPSUBTYPE_PREFER_HASH PGPSUBTYPE_PREFER_COMPRESS PGPSUBTYPE_FEATURES PGPSUBTYPE_KEYSERVER_PREFERS PGPSUBTYPE_ISSUER_KEYID; key id match saved at [1] PGPTAG_PUBLIC_SUBKEY ; subkey saved for later analysis PGPTAG_SIGNATURE PGPSUBTYPE_SIG_CREATE_TIME PGPSUBTYPE_KEY_FLAGS PGPSUBTYPE_KEY_EXPIRE_TIME PGPSUBTYPE_ISSUER_KEYID; key id match saved at [1] PGPSUBTYPE_EMBEDDED_SIG PGPTAG_SIGNATURE PGPSUBTYPE_SIG_CREATE_TIME PGPSUBTYPE_SIGNER_USERID PGPSUBTYPE_ISSUER_KEYID; key id match saved at [1] ` So, if [2] is detected and key id at [3] matches key id saved at [1], can I assume that the key (and so all subkeys) is revoked? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-811146766___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
> (that stuff really needs proper docs, sigh...) Is it intended to describe mechanism or policy? It seems that these two are mixed through the whole code base in an obfuscating and weird way. For example, what's expected to happen if someone try --nosignature install of a package build with `%_pkgverify_level all`? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-809403100___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
> There's already an enforcing mode for signature checking at install time Is it controlled by the command-line option? I've found only --nodigest and --nosignature, both meaning an opposite to what we're talking about here. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-809262449___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked or expired (#1598)
> actual interaction with the rest of rpm What about adding configure-time option, say, --enable-enforced-signatures? If configured and compiled with this one, RPM should refuse to install the package if no signature at all or (sub)key(s) has been revoked or expired. This may be useful for the distributions where paranoid security checks are essential. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-808720083___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked (#1598)
> it is not going to be the grand rewrite of everything So is it worth spending time trying to improve current OpenPGP support? Not sure about complete, RFC4880-compilant implementation, but revocation and expiration at least? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-806552114___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked (#1598)
> Given the complexity of a full implementation, I wonder if we would be better > off ditching OpenPGP entirely in RPMv6. What about offloading this to external library like gpgme? -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-806537333___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Installation / verification should not pass if the (sub)key(s) has been revoked (#1598)
Note https://github.com/dmantipov/rpm/commit/0f8654d3f276ec0500831ed92a0f57bff648f0c8 is not pretended to be correct in general and likely may handle the only particular case. I just want to make sure that I'm moving in the right direction. -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-805993425___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint