Opened 7 years ago

Closed 6 years ago

#5147 closed defect (fixed)

wrong/no signatures on FC packages

Reported by: qbi Owned by: hiviah
Priority: High Milestone:
Component: Core Tor/RPM packaging Version: Tor: unspecified
Severity: Keywords:
Cc: marlowe@… Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

I just downloaded http://deb.torproject.org/torproject.org/rpm/fc15/tor-0.2.2.35-tor.0.rh15.i686.rpm{,.asc} and got an error when I checked the signature. However a head -n 1 *.asc reveals:

-----BEGIN PGP PUBLIC KEY BLOCK-----

and not
-----BEGIN PGP SIGNATURE-----

I downloaded some asc-files and made a diff. They were all the same. So the asc-files are not signatures, but public keys.

So from my point of view those are no valid signatures. This should be corrected.

Child Tickets

Change History (8)

comment:1 Changed 7 years ago by erinn

Resolution: not a bug
Status: newclosed

The rpm signatures are different, in the sense that rpm has its own signing & verification mechanism that uses gpg but isn't like our normal package signatures. It's something used internally by the rpm program. I make those according to standard rpm packaging procedures with these commands:

for i in *rpm; do gpg --export --armor F1F5C9B5 > $i.asc; done
for i in *rpm; do rpm --addsign $i; done

Which is a long way of saying that you don't need to manually verify the signatures on the packages, but if you do, you should do it the rpm way. (rpm -K foo.rpm, I think)

comment:2 Changed 7 years ago by arma

Resolution: not a bug
Status: closedreopened

Why do we include a .asc file for every package then, if the asc file is the same for all of them and isn't a signature? Seems like we're asking for more people to get confused.

comment:3 Changed 7 years ago by erinn

It's been a while since I set it up, but I think the original idea was that people could import the key and then install the rpm, individually, if they didn't want to use the repo key for whatever reason. An argument could be made for that being either intuitive or counterintuitive, and I don't really have any insight into how normal rpm users operate, beyond knowing that they generally let the distro verify signatures.

I don't think we're asking for people to get confused, and there are instructions on the verifying-signatures page for how to manually verify the packages if you really want to do it that way. But if you have a less confusing solution, let me know.

comment:4 Changed 7 years ago by arma

Ok. I suggest the next step is to close this ticket when we've found an rpm sucker who can make it their problem and not Erinn's problem.

Maybe that is qbi or marlowe? :)

comment:5 Changed 7 years ago by marlowe

Cc: marlowe@… added

The sucker steps forward. ;)

We don't need to post the .asc files. rpm performs the signature check internally. The user imports the GPG key of the package signer into their rpmdb. Through this mechanism, they can verify the rpm hasn't changed since we signed it. The particular use case might be users who prefer to install the rpm directly as opposed to through yum.

I think we can close the ticket.

comment:6 Changed 7 years ago by Sebastian

Component: Tor bundles/installationRPM packaging

comment:7 Changed 6 years ago by erinn

Owner: changed from erinn to hiviah
Status: reopenedassigned

I'm not sure if this is still a problem and I don't maintain RPMs anymore, so I'm reassigning to hiviah, the new RPM maintainer.

comment:8 Changed 6 years ago by hiviah

Resolution: fixed
Status: assignedclosed

The new FC and EL packages built by me should have proper signatures (I just double-checked to make sure).

Note: See TracTickets for help on using tickets.