Mailinglist Archive: opensuse-security (32 mails)

< Previous Next >
Re: [opensuse-security] Packages from "update" (11.0) unsigned?
  • From: Werner Flamme <werner.flamme@xxxxxx>
  • Date: Thu, 22 Jan 2009 09:34:46 +0100
  • Message-id: <49782FA6.9040503@xxxxxx>
Werner Flamme [21.01.2009 11:50]:

Apt told me - for example - packages xrdp and autofs were unsigned. Now
I see:
# rpm --checksig autofs_5.0.3-82.28.1_x86%5f64.rpm
autofs_5.0.3-82.28.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK
# rpm --checksig xrdp_0.4.1-16.6.1_x86%5f64.rpm
xrdp_0.4.1-16.6.1_x86%5f64.rpm: rsa sha1 (md5) pgp md5 OK

Hm... what does rpm know that apt doesn't? And why does apt
(apt-0.5.15lorg3.2-123.14) cry about "unsigned", when it is signed?

Now I know: apt does not know "pgp", it looks for "gpg".

In /usr/lib64/apt/scripts/gpg-checker.lua I found that apt performs
"/bin/rpm --checksig" an parses the output. I see:
if string.find(line, "gpg") then
break
maybe because in 11.0 the packages are signed with gpg, and in 11.1 with
gpg? Obviously, I am not the only one who missed the announcement that
the signing method changed, since I can't find a newer apt on the build
service ;-)

On 11.0:
rpm --checksig
/home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm
/home/wflamme/down/kernel/kernel-default-2.6.25.20-0.1.x86_64.rpm:
(sha1) dsa sha1 md5 gpg OK

On 11.1:
rpm --checksig /var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm
/var/cache/apt/archives/xrdp_0.4.1-16.6.2_x86%5f64.rpm: rsa
sha1 (md5) pgp md5 OK

Both rpms are from the respective "update" repo. I doubled the
if-statement in gpg-checker.lua and changed "gpg" to "pgp" in the copy.
The next update on 11.1 will show if it helps :-)

Think this may result in a bugzilla entry for apt ;-)

Regards,
Werner
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-security+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups