-
Notifications
You must be signed in to change notification settings - Fork 376
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OpenPGP: Function pgpParsePkts
supports only "PGP PUBLIC KEY BLOCK" block, "PGP SIGNATURE" is needed
#2512
Comments
Highly unlikely. The internal implementation is only for backwards compatibility with environments that for some reason are not willing to use the Sequoia implementation. It has known bugs that almost certainly won’t be fixed. To give just one example, revocation handling is not implemented at all.
It’s already the default in Fedora 38. |
I'd argue that either rpm-sequoia or the internal implementation should be fixed. I'm not sure which is correct. |
@mlschroe Details:
|
I dunno about that "fine" and "incomplete". You're asking to remove an extra check in the internal pgp parser. Basically the API is missing a type argument to tell the parser if it should test for a certain armor. |
@mlschroe |
Librepo is used to download data from rpm repositories (metadata, packages, ...). Repository metadata can be signed with an OpenPGP signature. And librepo can verify them. Sample on an existing repository:
Librepo uses GpgMe. We now have a high priority to remove the dependency on GpgMe. That's why I created a new implementation in the librepo that uses the librpm API instead of GpgMe. Now it works (with some problems that I described in issues, but it works). |
Here is the PR rpm-software-management/librepo#275 . It contains commit that moves the original implementation of OpenPGP using GpgMe into "gpg_gpgme.c" file and creates a new based on librpm API in the "gpg_rpm.c" file. I created the code based on the description in the "rpmgpg.h" header file and a bit of librpm reverse engineering. It's not very nice, but somehow it works. The code also implements a keyring. |
Considering that the internal parser is on its way out, and changing rpm-sequoia to reject data that the return values suggest the function supports, breaking librepo in the process... I think the only reasonable thing is to just leave it all as it is. There are and will be significant differences in the backends as long as the internal one is there, so it seems to me the sooner we get rid of it the better it is for everybody, ultimately. |
I am preparing a new backend for OpenPGP support in librepo rpm-software-management/dnf5#438 . Instead of GpgMe, it uses the librpm library API. The goal is to get rid of the dependency on GpgMe.
I need support for loading ASCII armored PGP signatures. I found it works with "rpm-sequoia" backend. The problem is with internal librpm implementation.
Is there a plan to add support for ASCII armored PGP signatures to librpm's internal implementation? Or will an external implementation ("rpm-sequouia" backend) be required in future versions (e.g. next Fedora)?
The text was updated successfully, but these errors were encountered: