© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
(In reply to comment #12)
> Re
> > If this is the case, then rpm should pass --force-v3-sigs to gpg when using
> > --addsign.
>
> The gpg signing invocation used by rpm is entirely configurable with macros:
>
> %__gpg_sign_cmd %{__gpg} \
> gpg --batch --no-verbose --no-armor --passphrase-fd 3
> --no-secmem-warning \
> -u "%{_gpg_name}" -sbo %{__signature_
>
> Feel free to do whatever you wish. I supplied the hysterical details re V3 RSA
> signatures
> for reference purposes.
Except that this is not what is written in the manpage, but I filed a different bug about this. (bug: 476201). Also the interface is not documented. Is it also possible to make rpm not ask for the password? It always does, even if I change the gpg command to use the agent instead.
> Note that however this #436812 featlet/bugture is resolved, most rpm
> implementations
> in "production" do not correctly handle RSA V4 signatures.
Unless the rpm in Fedora does not break packages if it does not like the signature.
> (aside)
> You'ld think a package signer would verify that, indeed, a package verifies
> after signing
> rpm -Kvv *.rpm
This beheaviours seems to depend on the rpm version used, so maybe it worked for the package signer.
(In reply to comment #12)
> Personally I'd rather see the RPM crypto implementation "Just Work" rather than
> limit
> the functionality to V3 signatures only. But that also means that rpm
> verification will need
> every algorithm that might ever be used by gpg when signing, including
> MD2/tiger192 hashes and ECDSA and odd-ball variants of DSA with q={224,256}
> bits > 1024 and
> (likely soon) RSA/MD6 or whatever is chosen from the SHA-3 competition.
I agree here.