[Pkg-rpm-devel] Bug#858998: rpmsign silently accepts every password

[Arturo Borrero Gonzalez]

Package: rpm
Version: 4.12.0.2+dfsg1-1
Severity: important

Dear Maintainer,

thanks for your work with the rpm package, it's really appreciated.

When running rpmsign to add a signature to a rpm package, it seems to
accept every password without complaint:

% rpmsign --addsign myrpm.rpm
Enter pass phrase:
  [ wrong password ]

% echo $?
0

I don't know if this means that rpmsign is not able to read my config
and therefore doesn't do anything.

But still, the result is the same using either a good or a wrong password,
which is a bit surprising.

I've tested with these 2 macro files in ~/.rpmmacros:

===== option1 =====
%_signature    gpg
%_gpg_name      myemail at example.com
%_gpg_path     ~/.gnupg
%__gpg_sign_cmd %{__gpg} \
   gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
   --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
   -sbo %{__signature_filename} %{__plaintext_filename}
===================

===== option2 =====
%_gpg_name      myemail at example.com
===================

-- System Information:
Debian Release: 9.0
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: amd64 (x86_64)

Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)

Versions of packages rpm depends on:
ii  debugedit     4.12.0.2+dfsg1-1
ii  libc6         2.24-9
ii  libelf1       0.168-0.2
ii  libpopt0      1.16-10+b2
ii  librpm3       4.12.0.2+dfsg1-1
ii  librpmbuild3  4.12.0.2+dfsg1-1
ii  librpmio3     4.12.0.2+dfsg1-1
ii  librpmsign3   4.12.0.2+dfsg1-1
ii  perl          5.24.1-2
ii  rpm-common    4.12.0.2+dfsg1-1
ii  rpm2cpio      4.12.0.2+dfsg1-1

rpm recommends no packages.

Versions of packages rpm suggests:
pn  alien     <none>
pn  elfutils  <none>
pn  rpm-i18n  <none>
pn  rpm2html  <none>
ii  rpmlint   1.9-6

-- no debconf information