[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: rpm signing with subkeys

On Nov 29, 2006, at 3:26 PM, Douglas Hubler wrote:

I cannot get rpm --addsign to work using a gpg subkey. I added a key following
these instructions to my gpg key store:

And set this in my .rpmmacros
 %_signature gpg
 %_gpg_name 3455DDBA
 %_gpg_path /home/dhubler/gpg-auto

Where 3455DDBA is the id of my subkey, not my public key

And when I run
 rpm --checksig my-package.rpm
I keep getting
 ... (GPG) NOT OK (MISSING KEYS: GPG#3455ddba)

I've exported my public key and imported it to rpm,
  gpg --homedir . --armor --export engineering example com > \
  sudo rpm --import RPM-PGP-KEY-example.asc

Everything works find if I use the regular private/public key pair.

I discovered a macro by running "rpm --showrc" and experiemented with defining %__gpg_sign_cmd %{__gpg} --batch --no-verbose --no-armor -- passphrase-fd 3 --no-secmem-warning --default-key "%{_gpg_name}" -sbo % {__signature_filename}

Where I replaced the system default fragement
 "-u %{_gpg_name}"
 "--default-key "%{_gpg_name}"
but still no luck.

There are a lot of steps and I have gotten many of them wrong the first time at various stages so even if you do not have advice for me, if anyone has ever got this working, I'd appreciate an email saying you got it working would be
helpful, thanks.

Verification with sub-keys is not implemented in rpm.

Your choices are
    Generate a signing key w/o sub-keys.
	Use /usr/lib/rpm/tgpg (which extracts the necessary plaintext and
	verifies signatures usng gpg) to verify signatures instead.

FWIW, I have most of a sub-key verification implementation done, but that still won't solve your problem, as it will be years before that implementation
is widely deployed no matter what.

73 de Jeff

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]