rpm --checksig not using gnupg trustdb

From: Bart Martens (bart.martens@advalvas.be)
Date: 03/04/02

Next message: nordi: "Re: Problems regarding crypto filesystem after kernel recompilation"

Previous message: Alfredo Ortuño Marín: "Bridge Firewall Nat question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: bart.martens@advalvas.be (Bart Martens)
Date: Mon, 04 Mar 2002 15:00:24 GMT

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Question: should pgp signatures verification for downloaded software
use the gnupg/pgp trustdb? I would expect _yes_.

Another question: how is pgp signatures verification for downloaded
software done on other distributions than redhat? With or without use
of the gnupg/pgp trustdb?

I noticed that rpm --checksig doesn't use the gnupg trustdb on redhat.
This is my test, on RedHat 7.2 with rpm-4.0.3-1.03 and gnupg-1.0.6-3:
I pick a random rpm, signed by an unknown packager. In ~/.gnupg/options
I define a keyserver. Then I run rpm --checksig for the downloaded rpm.
What happens? rpm asks gpg to check the signature. Because the key is
not yet in the keyring, and ~/.gnupg/options has a keyserver defined,
gnupg retrieves the key from the keyserver and adds it into the keyring.
At this point, the key is present in the keyring, but the key is not yet
"trusted" in the gpg trustdb. Then gpg uses the key for the signature
verification, valid result. Still allright. But then (!), without warning
about the missing trust path, rpm --checksig displays "gpg OK" and
returns 0 for all OK. This looks like an open door for trojan horses.
When I run rpm --checksig -v for verbose output, then I see that gpg
complains about the missing trust path. Apparently rpm does not use
this gpg essential output.

I have submitted a bug on bugzilla.redhat.com (number 60611) on the fact
that rpm --checksig doesn't use the gnupg trustdb. The comment of redhat
was that this is a design choice. This surprises me.

Note that the ~/.gnupg/options file in gnupg-1.0.6-3 on RedHat 7.2 by
default does not contain the no-auto-key-retrieve option. So as soon
as someone, starting from an emtpy gnupg keyring, defines a keyserver
in ~/.gnupg/options, then the door to trojan horses is opened.

I'd appreciate your comments on this questionable behaviour, and on
how signatures on software are verified on other distributions than
RedHat.

Bart Martens
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE8g43eZ4lamfum7PERAp/3AKCTOR2CoKE3ovOPjCRuCbjSlKsPngCeOT8f
Mrk4fcpTTgzPd00DQCaS0MA=
=Juyn
-----END PGP SIGNATURE-----

Next message: nordi: "Re: Problems regarding crypto filesystem after kernel recompilation"
Previous message: Alfredo Ortuño Marín: "Bridge Firewall Nat question?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]