* [devel] [jbj@redhat.com: rpm-4.1 released]
@ 2002-09-18 18:36 Dmitry V. Levin
0 siblings, 0 replies; only message in thread
From: Dmitry V. Levin @ 2002-09-18 18:36 UTC (permalink / raw)
To: ALT Devel discussion list
[-- Attachment #1: Type: text/plain, Size: 7510 bytes --]
FYI
----- Forwarded message from Jeff Johnson <jbj@redhat.com> -----
Date: Wed, 18 Sep 2002 11:48:52 -0400
From: Jeff Johnson <jbj@redhat.com>
To: rpm-list@redhat.com
Subject: rpm-4.1 released
Rpm 4.1 is now available at
ftp://ftp.rpm.org/pub/rpm/dist/rpm-4.1.x
The final part of the release (6x, 7x, etc) indicates the version
of Red Hat Linux for which the package has been built. For example,
the i386 packages for Red Hat 6.2 are
rpm-4.1-6x.i386.rpm
rpm-devel-4.1-6x.i386.rpm
rpm-build-4.1-6x.i386.rpm
rpm-python-4.1-6x.i386.rpm
popt-1.7-6x.i386.rpm
This version is also available through anonymous cvs:
cvs -d :pserver:anonymous@cvs.rpm.org:/cvs/devel login
(no password, just carriage return)
cvs -d :pserver:anonymous@cvs.rpm.org:/cvs/devel get rpm
cd rpm
cvs up -r rpm-4_1-release
You will need the versions of libtool, autoconf, and automake identified
in autogen.sh if you wish to build from CVS.
Please report any difficulties, problems, issues, feature requests, whatever at
http://bugzilla.redhat.com
Here's a brief summary of features that have been added. See the
CHANGES file in the src rpm for the gory details.
1) Header signatures and digests, if available, are verified when (first)
retrieved from the rpm database.
2) The rpm database permits concurrent access. That means that it is now
possible to run rpm in %post scriptlets.
Note: What still remains is to find out whether there are deadlocks
(there are), and whether the deadlocks can be avoided or otherwise
handled gracefully. I'd really like to support (at least read)
concurrent access to the rpm database, but it's gonna take a lot
of careful (i.e. reproducible) testing to achieve that goal. Any
and all help is appreciated. What's very promising is that the
problems are deadlocks, not segfaults, but reproducing deadlocks
is gonna be quite challenging.
3) The rpmdb-redhat package (which contains an "everything" rpm database),
if installed, will be used to provide suggested solutions for unresolved
dependencies. Try installing the rpmdb-redhat package from Raw Hide if
interested.
DSA/RSA signature verification using RFC-2440 OpenPGP V3
packets is now implemented directly in rpm. The signature,
if available, is always verified when reading a package, and failures
are always reported.
Signing is done with gpg/pgp helpers as always, and both a new,
header-only, as well as the Good Old header+payload signature
are generated. In fact, all of Red Hat 7.3 was signed with rpm-4.1,
so both signatures should be present in 7.3 packages.
What's also new is pubkey management using --import. Basically
rpm --import RPM-GPG-KEY
(or any ascii armored OpenPGP pubkey) will wrap the binary OpenPGP
packet in a header, and install just like any other package.
Here's what you see if you have not yet imported the correct pubkey(s):
bash$ sudo rpm -Uvh popt-1.7-7x.i386.rpm
warning: popt-1.7-7x.i386.rpm: Header V3 DSA signature: NOKEY, key ID db42a60e
...
Here's what the Red Hat pubkeys look like when imported:
==========================================================================
bash$ rpm -qa | grep pubkey
gpg-pubkey-0352860f-3c3cb5e4
gpg-pubkey-db42a60e-37ea5438
bash$ rpm -qi gpg-pubkey-db42a60e
Name : gpg-pubkey Relocations: (not relocateable)
Version : db42a60e Vendor: (none)
Release : 37ea5438 Build Date: Sat 16 Mar 2002 10:47:53 AM EST
Install date: Sat 16 Mar 2002 10:47:53 AM EST Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Summary : gpg(Red Hat, Inc <security@redhat.com>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.1 (beecrypt-2.2.0)
mQGiBDfqVDgRBADBKr3Bl6PO8BQ0H8sJoD6p9U7Yyl7pjtZqioviPwXP+DCWd4u8HQzcxAZ5
7m8ssA1LK1Fx93coJhDzM130+p5BG9mYSWShLabR3N1KXdXQYYcowTOMGxdwYRGr1Spw8Qyd
LhjVfU1VSl4xt6bupPbWJbyjkg5Z3P7BlUOUJmrx3wCgobNVEDGaWYJcch5z5B1of/41G8kE
AKii6q7Gu/vhXXnLS6m15oNnPVybyngiw/23dKjSZVG7rKANEK2mxg1VB+vc/uUc4k49UxJJ
fCZg1gu1sPFV3GSa+Y/7jsiLktQvCiLPlncQt1dV+ENmHR5BdIDPWDzKBVbgWnSDnqQ6KrZ7
T6AlZ74VMpjGxxkWU6vV2xsWXCLPA/9P/vtImA8CZN3jxGgtK5GGtDNJ/cMhhuv5tnfwFg4b
/VGo2Jr8mhLUqoIbE6zeGAmZbUpdckDco8D5fiFmqTf5+++pCEpJLJkkzel/32N2w4qzPrcR
MCiBURESPjCLd4Y5rPoU8E4kOHc/4BuHN903tiCsCPloCrWsQZ7UdxfQ5LQiUmVkIEhhdCwg
SW5jIDxzZWN1cml0eUByZWRoYXQuY29tPohVBBMRAgAVBQI36lQ4AwsKAwMVAwIDFgIBAheA
AAoJECGRgM3bQqYOsBQAnRVtg7B25Hm11PHcpa8FpeddKiq2AJ9aO8sBXmLDmPOEFI75mpTr
KYHF6rkCDQQ36lRyEAgAokgI2xJ+3bZsk8jRA8ORIX8DH05UlMH27qFYzLbT6npXwXYIOtVn
0K2/iMDj+oEB1Aa2au4OnddYaLWp06v3d+XyS0t+5ab2ZfIQzdh7wCwxqRkzR+/H5TLYbMG+
hvtTdylfqIX0WEfoOXMtWEGSVwyUsnM3Jy3LOi48rQQSCKtCAUdV20FoIGWhwnb/gHU1BnmE
S6UdQujFBE6EANqPhp0coYoIhHJ2oIO8ujQItvvNaU88j/s/izQv5e7MXOgVSjKe/WX3s2Jt
B/tW7utpy12wh1J+JsFdbLV/t8CozUTpJgx5mVA3RKlxjTA+On+1IEUWioB+iVfT7Ov/0kcA
zwADBQf9E4SKCWRand8K0XloMYgmipxMhJNnWDMLkokvbMNTUoNpSfRoQJ9EheXDxwMpTPwK
ti/PYrrL2J11P2ed0x7zm8v3gLrY0cue1iSba+8glY+p31ZPOr5ogaJw7ZARgoS8BwjyRymX
Qp+8Dete0TELKOL2/itDOPGHW07SsVWOR6cmX4VlRRcWB5KejaNvdrE54XFtOd04NMgWI63u
qZc4zkRa+kwEZtmbz3tHSdRCCE+Y7YVP6IUf/w6YPQFQriWYFiA6fD10eB+BlIUqIw80Vgjs
BKmCwvKkn4jg8kibXgj4/TzQSx77uYokw1EqQ2wkOZoaEtcubsNMquuLCMWijYhGBBgRAgAG
BQI36lRyAAoJECGRgM3bQqYOhyYAnj7hVDY/FJAGqmtZpwVp9IlitW5tAJ4xQApr/jNFZCTk
snI+4O1765F7tA==
=3AHZ
-----END PGP PUBLIC KEY BLOCK-----
==========================================================================
For the extremely security conscious and the overly curious, I note the
following limitations:
1) there's no attempt (yet) to verify the signature on the
pubkey before verifying the package signature.
2) there's no attempt (yet) to implement any trust model using
OpenPGP packets. All imported keys in the rpm database are considered
trusted.
3) only V3 signatures are implemented ATM.
If that's not to your taste, then you can export the signature from a
package and verify using gpg outside of rpm. For example, here's a
short script that verifies the traditional header+payload signatures of
a package using gpg:
==========================================================================
#!/bin/sh
for pkg in $*
do
if [ "$pkg" = "" -o ! -e "$pkg" ]; then
echo "no package supplied" 1>&2
exit 1
fi
plaintext=`mktemp $0-$$.XXXXXX`
detached=`mktemp $0-$$.XXXXXX`
# --- Extract detached signature
rpm -qp -vv --qf '%{siggpg:armor}' $pkg > $detached
# --- Figger the offset of header+payload in the package
leadsize=96
o=`expr $leadsize + 8`
set `od -j $o -N 8 -t u1 $pkg`
il=`expr 256 \* \( 256 \* \( 256 \* $2 + $3 \) + $4 \) + $5`
dl=`expr 256 \* \( 256 \* \( 256 \* $6 + $7 \) + $8 \) + $9`
sigsize=`expr 8 + 16 \* $il + $dl`
o=`expr $o + $sigsize + \( 8 - \( $sigsize \% 8 \) \) \% 8`
# --- Extract header+payload
dd if=$pkg ibs=$o skip=1 2>/dev/null > $plaintext
# --- Verify DSA signature using gpg
gpg --batch -vv --verify $detached $plaintext
# --- Clean up
rm -f $detached $plaintext
done
==========================================================================
Enjoy
73 de Jeff
--
Jeff Johnson ARS N3NPQ
jbj@redhat.com (jbj@jbj.org)
Chapel Hill, NC
_______________________________________________
Rpm-list mailing list
Rpm-list@redhat.com
https://listman.redhat.com/mailman/listinfo/rpm-list
----- End forwarded message -----
--
ldv
[-- Attachment #2: Type: application/pgp-signature, Size: 189 bytes --]
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2002-09-18 18:36 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2002-09-18 18:36 [devel] [jbj@redhat.com: rpm-4.1 released] Dmitry V. Levin
ALT Linux Team development discussions
This inbox may be cloned and mirrored by anyone:
git clone --mirror http://lore.altlinux.org/devel/0 devel/git/0.git
# If you have public-inbox 1.1+ installed, you may
# initialize and index your mirror using the following commands:
public-inbox-init -V2 devel devel/ http://lore.altlinux.org/devel \
devel@altlinux.org devel@altlinux.ru devel@lists.altlinux.org devel@lists.altlinux.ru devel@linux.iplabs.ru mandrake-russian@linuxteam.iplabs.ru sisyphus@linuxteam.iplabs.ru
public-inbox-index devel
Example config snippet for mirrors.
Newsgroup available over NNTP:
nntp://lore.altlinux.org/org.altlinux.lists.devel
AGPL code for this site: git clone https://public-inbox.org/public-inbox.git