Opened 7 years ago
Closed 6 years ago
#5147 closed defect (fixed)
wrong/no signatures on FC packages
| Reported by: | qbi | Owned by: | hiviah |
|---|---|---|---|
| Priority: | High | Milestone: | |
| Component: | Core Tor/RPM packaging | Version: | Tor: unspecified |
| Severity: | Keywords: | ||
| Cc: | marlowe@… | Actual Points: | |
| Parent ID: | Points: | ||
| Reviewer: | Sponsor: |
Description
I just downloaded http://deb.torproject.org/torproject.org/rpm/fc15/tor-0.2.2.35-tor.0.rh15.i686.rpm{,.asc} and got an error when I checked the signature. However a head -n 1 *.asc reveals:
-----BEGIN PGP PUBLIC KEY BLOCK-----
and not
-----BEGIN PGP SIGNATURE-----
I downloaded some asc-files and made a diff. They were all the same. So the asc-files are not signatures, but public keys.
So from my point of view those are no valid signatures. This should be corrected.
Child Tickets
Change History (8)
comment:1 Changed 7 years ago by
| Resolution: | → not a bug |
|---|---|
| Status: | new → closed |
comment:2 Changed 7 years ago by
| Resolution: | not a bug |
|---|---|
| Status: | closed → reopened |
Why do we include a .asc file for every package then, if the asc file is the same for all of them and isn't a signature? Seems like we're asking for more people to get confused.
comment:3 Changed 7 years ago by
It's been a while since I set it up, but I think the original idea was that people could import the key and then install the rpm, individually, if they didn't want to use the repo key for whatever reason. An argument could be made for that being either intuitive or counterintuitive, and I don't really have any insight into how normal rpm users operate, beyond knowing that they generally let the distro verify signatures.
I don't think we're asking for people to get confused, and there are instructions on the verifying-signatures page for how to manually verify the packages if you really want to do it that way. But if you have a less confusing solution, let me know.
comment:4 Changed 7 years ago by
Ok. I suggest the next step is to close this ticket when we've found an rpm sucker who can make it their problem and not Erinn's problem.
Maybe that is qbi or marlowe? :)
comment:5 Changed 7 years ago by
| Cc: | marlowe@… added |
|---|
The sucker steps forward. ;)
We don't need to post the .asc files. rpm performs the signature check internally. The user imports the GPG key of the package signer into their rpmdb. Through this mechanism, they can verify the rpm hasn't changed since we signed it. The particular use case might be users who prefer to install the rpm directly as opposed to through yum.
I think we can close the ticket.
comment:6 Changed 7 years ago by
| Component: | Tor bundles/installation → RPM packaging |
|---|
comment:7 Changed 6 years ago by
| Owner: | changed from erinn to hiviah |
|---|---|
| Status: | reopened → assigned |
I'm not sure if this is still a problem and I don't maintain RPMs anymore, so I'm reassigning to hiviah, the new RPM maintainer.
comment:8 Changed 6 years ago by
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
The new FC and EL packages built by me should have proper signatures (I just double-checked to make sure).
The rpm signatures are different, in the sense that rpm has its own signing & verification mechanism that uses gpg but isn't like our normal package signatures. It's something used internally by the rpm program. I make those according to standard rpm packaging procedures with these commands:
for i in *rpm; do gpg --export --armor F1F5C9B5 > $i.asc; done
for i in *rpm; do rpm --addsign $i; done
Which is a long way of saying that you don't need to manually verify the signatures on the packages, but if you do, you should do it the rpm way. (rpm -K foo.rpm, I think)