At the moment rpm will load keys from a pre-defined directory
(`%{_keyringpath}`) and **only** if no keys are found there, will it try to
load keys from the rpmdb:
https://github.com/rpm-software-management/rpm/blob/1efe530450b5bdbd90128327be56c87fa1b6843b/lib/rpmts.c#L382
This is a bit unfortunate imho, because at least as far as I am aware, no
distribution really uses `%_keyringpath` to store keys there (the directory
does not exist on openSUSE Tumbleweed nor on Fedora 33 and it is also not
provided by any package). Now if someone drops a `*.key` file into
`%_keyringpath`, they'll effectively kill key verification as everyone appears
to be storing keys in the rpmdb nowadays.
Therefore I would propose to revert
https://github.com/rpm-software-management/rpm/commit/9d200565744d3023053d64f627c82cf2451fa701.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1543___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint