Re: [Rpm-maint] [rpm-software-management/rpm] RFE: add support for SHA-3 (Issue #3436)
Nothing in rpm v6 depends on SHA-3 so this isn't timing critical for us, it's more of a "HDTV-ready" type of thing :smile: -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3436#issuecomment-2464007538 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
Merged #3433 into master. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433#event-15208158856 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move installed gpg keys to the currently configured storage (Issue #3347)
Yes, gpg-pubkeys do survive rpmdb --rebuild currently. But they don't get reimported so they stay in the short id mode. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3347#issuecomment-2464573783 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move installed gpg keys to the currently configured storage (Issue #3347)
For the db, I guess you could basically create an empty rpmdb in an alternative path where you put them temporarily. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3347#issuecomment-2464580389 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move installed gpg keys to the currently configured storage (Issue #3347)
Hmm, the question is on how to do that in a save way. E.g. for the database backend there is no clean slate to start from. We ofc could remove all gpgpubkey packages and then add the loaded keys back. But that leaves things very vulnerable inbetween. The file based backends can at least save stuff elsewhere by manipulating `%_keyringpath`. Hmm, with the key store in the rpmdb directory does that survive an rpmdb --rebuild? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3347#issuecomment-2464512982 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move installed gpg keys to the currently configured storage (Issue #3347)
Oh, that. No idea. -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3347#issuecomment-2464708417 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
[Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
Refactor code from the fs backend into shared helper functions This does implement the layout on the file system and the write lock of the openpgp.cert.d proposal according to https://www.ietf.org/archive/id/draft-nwjw-openpgp-cert-d-00.html but not the Trust root, Petname mapping or Trusted introducers. This still is a mess of C and C++ style strings that we want to clean up later by adding C++ string based path handling and may be using the filesystem C++ library. Resolves: #3341 You can view, comment on, or merge this pull request online at: https://github.com/rpm-software-management/rpm/pull/3437 -- Commit Summary -- * Implement openpgp.cert.d based keystore -- File Changes -- M lib/keystore.cc (178) M lib/keystore.hh (7) M lib/rpmts.cc (2) M tests/rpmsigdig.at (89) -- Patch Links -- https://github.com/rpm-software-management/rpm/pull/3437.patch https://github.com/rpm-software-management/rpm/pull/3437.diff -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3437 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Move installed gpg keys to the currently configured storage (Issue #3347)
Should have worded this better: Do the fs backend keys survive a rpmdb --rebuild? -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/issues/3347#issuecomment-2464689314 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
@nwalfield commented on this pull request.
>
-if (replace) {
- rasprintf(&tmppath, "%s.new", path);
- unlink(tmppath);
+rc = write_key_to_disk(key, dirstr, keyfmt, replace, flags);
+
+if (!rc && replace) {
+ /* find and delete the old pubkey entry */
I'm a bit concerned about this. OpenPGP certificates are mostly append-only
data structures. To understand why, imagine that the certificate is revoked,
and the revocation certificate is stored locally. Then some process comes
along and updates the certificates, but it doesn't have the revocation
certificate for some reason. The revocation certificate will now be deleted,
and rpm may start relying on the revoked certificate again.
So, from my perspective, the correct thing to do here is to merge the existing
data with the new data.
Can you explain your thought process here and what you are trying to accomplish?
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#pullrequestreview-2423810811
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
@dmnks pushed 1 commit. 7627bd92182616ac0568c44dab4b1c00a559a56b fixup! Fixes + cleanups to rpmkeys manual -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433/files/6bec5fc3de53e8885a769c36b498e4b824e112df..7627bd92182616ac0568c44dab4b1c00a559a56b You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
@dmnks approved this pull request. LGTM, thanks Neal for looking, too! I've just fixed up a lonely opening square bracket before the `--delete` argument (which is actually mandatory). -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433#pullrequestreview-2423136893 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
@dmnks pushed 1 commit. 42a192cde8b8d7bcb784a09520c9094f5325f2ca fixup! Fixes + cleanups to rpmkeys manual -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433/files/7627bd92182616ac0568c44dab4b1c00a559a56b..42a192cde8b8d7bcb784a09520c9094f5325f2ca You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
@dmnks pushed 1 commit. 11794c9ab1b7379ecdc1c542fe6abbc68ad1a004 fixup! Sanitize rpmsign --addsign/--delsign output -- View it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433/files/42a192cde8b8d7bcb784a09520c9094f5325f2ca..11794c9ab1b7379ecdc1c542fe6abbc68ad1a004 You are receiving this because you are subscribed to this thread. Message ID: ___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
One more typo fixup :smile: -- Reply to this email directly or view it on GitHub: https://github.com/rpm-software-management/rpm/pull/3433#issuecomment-2464202384 You are receiving this because you are subscribed to this thread. Message ID:___ Rpm-maint mailing list Rpm-maint@lists.rpm.org http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Fixes + cleanups to rpmkeys manual (PR #3433)
I've autosquashed the fixup commit on top and will merge this once the CI
finishes. This is the fixup patch I've applied, just for full transparency:
```diff
diff --git a/docs/man/rpmkeys.8.md b/docs/man/rpmkeys.8.md
index e7993e52c..093a91606 100644
--- a/docs/man/rpmkeys.8.md
+++ b/docs/man/rpmkeys.8.md
@@ -25,7 +25,7 @@ The general forms of rpm digital signature commands are
**rpmkeys** **\--import** *PUBKEY \...*
-**rpmkeys** **\--delete** \[*FINGERPRINT \...*
+**rpmkeys** **\--delete** *FINGERPRINT \...*
**rpmkeys** {**-K\|\--checksig**} *PACKAGE\_FILE \...*
@@ -53,7 +53,7 @@ The fingerprint is the handle used for all operations on the
keys.
Output the key(s) using an ASCII-armor encoding.
-Exporting allows inspectecting the data with specialized tools, such
+Exporting allows for inspecting the data with specialized tools, such
as Sequoia or GnuPG. For example:
**rpmkeys --export 771b18d3d7baa28734333c424344591e1964c5fc | sq inspect **
```
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3433#issuecomment-2464215737
You are receiving this because you are subscribed to this thread.
Message ID:
___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
@ffesti commented on this pull request.
>
-if (replace) {
- rasprintf(&tmppath, "%s.new", path);
- unlink(tmppath);
+rc = write_key_to_disk(key, dirstr, keyfmt, replace, flags);
+
+if (!rc && replace) {
+ /* find and delete the old pubkey entry */
The patch obscures that this is actually old code. This is about converting
from the old (short keyids based) file names to new (fingerprint based)
filenames. Here we are just deleting the old file which is now redundant.
The merging of the keys does happen - it just doesn't happen here.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#discussion_r1834493385
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
@pmatilai commented on this pull request.
> }
-if (rpmMkdirs(rpmtxnRootDir(txn), "%{_keyringpath}")) {
+free(dir);
+return rc;
+}
+
+/*/
+
+static rpmRC acquire_write_lock(rpmtxn txn)
The txn handle *is the lock*, that's the whole point of those things. There's
no other locking needed.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#pullrequestreview-2423918402
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
@ffesti commented on this pull request.
> }
-if (rpmMkdirs(rpmtxnRootDir(txn), "%{_keyringpath}")) {
+free(dir);
+return rc;
+}
+
+/*/
+
+static rpmRC acquire_write_lock(rpmtxn txn)
I know. But the standard requires a lockfile on disk as part of the
openpgp.cert.d format. If we want other tools to be able to read it we should
try to adhere to that.
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#discussion_r1834485302
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
Re: [Rpm-maint] [rpm-software-management/rpm] Implement openpgp.cert.d based keystore (PR #3437)
@nwalfield commented on this pull request.
>
-if (replace) {
- rasprintf(&tmppath, "%s.new", path);
- unlink(tmppath);
+rc = write_key_to_disk(key, dirstr, keyfmt, replace, flags);
+
+if (!rc && replace) {
+ /* find and delete the old pubkey entry */
Thanks for the clarification!
--
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/pull/3437#discussion_r1834501729
You are receiving this because you are subscribed to this thread.
Message ID: ___
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
