[Full-Disclosure] RPM verification

From: Andrew Griffiths (full-disclosure@lists.netsys.com)
Date: 08/30/02 

From: full-disclosure@lists.netsys.com (Andrew Griffiths)
Date: Fri, 30 Aug 2002 21:08:52 +1000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Axel Grossklaus wrote:
| Andrew Griffiths wrote:
|
| moin,
|
| just a few remarks...
|

cool. feedback, comments, etc is good.

| | Product: rpm
| | Version tested: 4.0.4
|
| | - SuSE recommends to verify with rpm -v --checksig file.rpm. They were
| not
| | contacted.
|
| on the suse distribution the keys for rpm validation are already kept in
| a separate file /usr/lib/rpm/gnupg/pubring.gpg.

Never used SuSE myself. I just went looking for vendors to email. :-)

| and gpg ist called with "--keyring /usr/lib/rpm/gnupg/pubring.gpg"
| (suse patched that into rpm) but
| --keyring only _adds_ keys in the keyring. the keys in the
| default keyring in the users home are used as well.
| seeing /usr/lib/rpm/gnupg/pubring.gpg might fool someone into believing
| that _only_ those keys are used, which would require setting
| --no-default-keyring as well.
|
| i dont know if /usr/lib/rpm/gnupg/pubring.gpg was added just to make
| sure the key is available regardless of what the user has in his
| gnupg-home or for security reasons.
|
| if it was for security reasons (which i dont think), its broken :-}
|
| this might be a matter of taste, but keeping keys for rpm-signatures
| in a different file is certainly a good idea, i think.
|
| unfortunately, this is not really easy to do system-wide, since gpg
| wants to lock files and write temp-files into its home-directory,
| so setting %_gpg_path to /usr/lib/rpm/gnupg/ doesnt work.
| each admin on a system has to fix it for himself.
|
| otoh, i dont think that using rpm -v --checksig is a good
| idea either.

Agreed. I'm just repeating what the RPM author told me is the fix. :-)
Personally, I use -vv --checksig.

| its too easy to make a key that looks almost (but
| not quite ;) ) like a given other key. and who really wants to
| memorize the complete fingerprint and key id?

Yup. Thats why I included the stuff for ~/.rpmmacros (hrm. I think rpm
3.x uses .rpmrc or so, I think)

|
| maybe it would work if rpm created an empty temporary directory,
| used that directory with --homedir and then add --keyring
| /usr/lib/rpm/gnupg/pubring.gpg and --no-default-keyring
| (and maybe some option to deal with the trustdb handling) might work.
| but there has to be a more elegant solution than this.

Yup. I setup my .rpmmacros to look @ ~/.gpg-rh (or ~/.gpg-rpm or so).

|
| i will look a little deeper into the last two points..
|
| | - Future versions of RPM (4.1) will not be using gpg externally, but
| | will be maintaining the keys to verify internally.
|
| how exactly will that version work?

By storing the keys to verify stuff in its own database. I think, but am
~ not sure, that it would "embed" gpg or so into rpm.

I haven't looked @ rpm 4.1 yet..

|
|
| tty, axel
|
|
| p.s.: all tests were done using 3.0.6 (suse still uses rpm 3.x)
| ~ and gpg 1.0.7
|
| --
| Axel Grossklaus PRESECURE (R)
| Security Specialist, Consulting GmbH
| Phone: (+49) 040 / 480 4224 ag@pre-secure.de
|
| ~ Check on European Security Incident Response Teams
| ~ http://www.ti.terena.nl

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iEYEARECAAYFAj1vUkQACgkQoAeEnVqYoAFm4gCdEKZPFsKoNE3hWxirP5zFPwGs
UvEAnAkPFyQYljiEa6A3U4wlw8uAFaOf
=tvBt
-----END PGP SIGNATURE-----

Relevant Pages

  • Re: verifying using gpg
    ... > rpm -K filename.rpm ... With all the source sites and keys not included in the iso/cdrom, ... had to turn off gpg verify in the yum config file. ...
    (Fedora)
  • Re: rpm --checksig not using gnupg trustdb
    ... > You need to set up RPM to see the correct path for your gpg keys. ... the trust path between your personal keys and the keys of the rpm packagers ...
    (comp.os.linux.security)
  • Re: Yum gpg keys -
    ... as I run into the problem with livna, dries, etc. ... You can find the keys on the ISO image, or on any of the mirror ... You install them using rpm --import as root. ... correct path to the key file. ...
    (Fedora)
  • [Full-Disclosure] RPM verification
    ... | Product: rpm ... on the suse distribution the keys for rpm validation are already kept in ... --keyring only _adds_ keys in the keyring. ... unfortunately, this is not really easy to do system-wide, since gpg ...
    (Full-Disclosure)
  • Re: Listing hardware
    ... rpm -ivh http://rpmforge.net/user/packages/rpmforge-release/ ... the gpg-keys, but yum says I need the keys to install it. ... you got them from the package, ...
    (Fedora)