[Pkg-rpm-devel] Bug#858998: rpmsign silently accepts every password

[Michal Čihař]

Hi

Arturo Borrero Gonzalez píše v St 29. 03. 2017 v 14:23 +0200:
> Package: rpm
> Version: 4.12.0.2+dfsg1-1
> Severity: important
> 
> Dear Maintainer,
> 
> thanks for your work with the rpm package, it's really appreciated.
> 
> When running rpmsign to add a signature to a rpm package, it seems to
> accept every password without complaint:
> 
> % rpmsign --addsign myrpm.rpm
> Enter pass phrase:
>   [ wrong password ]
> 
> % echo $?
> 0
> 
> I don't know if this means that rpmsign is not able to read my config
> and therefore doesn't do anything.
> 
> But still, the result is the same using either a good or a wrong
> password,
> which is a bit surprising.

The whole thing is caused by newer gpg which does use gpg-agent
preferably and probably doesn't read the passphrase from rpm at all (at
least in default configuration).

I've done some quick tests the passphrase passed from RPM is not used
at all, gpg always asks gpg-agent and it most likely had the passphrase
cached in your case, so the signing did succeed.

In case you give wrong passphrase to the agent, it fails as expected:

$ rpmsign --addsign libgsmsd8-1.38.1-4.1.i586.rpm 
Enter pass phrase: 
gpg: signing failed: Bad passphrase
gpg: signing failed: Bad passphrase
Pass phrase check failed or gpg key expired
$ echo $?
1

In rpm 4.13 the passphrase is not asked at all:

https://github.com/rpm-software-management/rpm/commit/0bce5fcf270711a2e
077fba0fb7c5979ea007eb5

I can try backporting this patch (excluding API change), but as the
issue is not really severe I'm not sure it's good enough for freeze
exception...

-- 
	Michal Čihař | https://cihar.com/ | https://weblate.org/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: This is a digitally signed message part
URL: <http://lists.alioth.debian.org/pipermail/pkg-rpm-devel/attachments/20170329/31cad775/attachment.sig>