[Pkg-rpm-devel] Bug#858998: rpmsign silently accepts every password
Arturo Borrero Gonzalez
arturo at debian.org
Wed Mar 29 12:23:10 UTC 2017
Package: rpm
Version: 4.12.0.2+dfsg1-1
Severity: important
Dear Maintainer,
thanks for your work with the rpm package, it's really appreciated.
When running rpmsign to add a signature to a rpm package, it seems to
accept every password without complaint:
% rpmsign --addsign myrpm.rpm
Enter pass phrase:
[ wrong password ]
% echo $?
0
I don't know if this means that rpmsign is not able to read my config
and therefore doesn't do anything.
But still, the result is the same using either a good or a wrong password,
which is a bit surprising.
I've tested with these 2 macro files in ~/.rpmmacros:
===== option1 =====
%_signature gpg
%_gpg_name myemail at example.com
%_gpg_path ~/.gnupg
%__gpg_sign_cmd %{__gpg} \
gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
--passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
-sbo %{__signature_filename} %{__plaintext_filename}
===================
===== option2 =====
%_gpg_name myemail at example.com
===================
-- System Information:
Debian Release: 9.0
APT prefers testing
APT policy: (500, 'testing')
Architecture: amd64 (x86_64)
Kernel: Linux 4.9.0-2-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_ES.utf8, LC_CTYPE=es_ES.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages rpm depends on:
ii debugedit 4.12.0.2+dfsg1-1
ii libc6 2.24-9
ii libelf1 0.168-0.2
ii libpopt0 1.16-10+b2
ii librpm3 4.12.0.2+dfsg1-1
ii librpmbuild3 4.12.0.2+dfsg1-1
ii librpmio3 4.12.0.2+dfsg1-1
ii librpmsign3 4.12.0.2+dfsg1-1
ii perl 5.24.1-2
ii rpm-common 4.12.0.2+dfsg1-1
ii rpm2cpio 4.12.0.2+dfsg1-1
rpm recommends no packages.
Versions of packages rpm suggests:
pn alien <none>
pn elfutils <none>
pn rpm-i18n <none>
pn rpm2html <none>
ii rpmlint 1.9-6
-- no debconf information
More information about the Pkg-rpm-devel
mailing list