Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. GnuPG>
  3. devel
Using gpg with rpm
cloos at jhcloos
Dec 29, 1998, 9:29 AM
Post #1 of 2 (171 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm working on a wrapper script that will allow rpm(1) to use gpg(1)
for signing and verifying rpm(5) packages. (Yes, it would be better
were rpm(1) itself to support gpg(1), but this will do as an interim
solution.)

The argument translations are fairly obvious, as is the need for the
rsa extension to handle the keys.

What I've not determined, though, are: exactly what options are
required to sign a file such that pgp-2.6.2 can verify the signature,
and what options are required to generate a key-pair that pgp-2.6.2
can import.

Is the idea module required? Which hash should be used? Should I
instead ask on one of the pgp groups? :)

TIA

- -JimC
- --
James H. Cloos, Jr. <http://www.jhcloos.com/cloos/pgp_public_key.txt>
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE2iQNlmXqfF+19rqYRAo2IAJsHLJMAXkVL4ImZvcF6b3t1pPephACeN6yl
vycsRytNHkwzFWEiiznT0oI=
=8Xe3
-----END PGP SIGNATURE-----
Re: Using gpg with rpm [ In reply to ]
cloos at jhcloos
Dec 29, 1998, 2:18 PM
Post #2 of 2 (168 views)
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>>>>> "Rat" == Stainless Steel Rat <ratinox@peorth.gweep.net> writes:

Rat> rpm uses whatever version of PGP is available. One should be
Rat> able to use any version of PGP that groks PGP 2.6.x command line
Rat> arguments, which means GPG should be an easy drop-in replacement.
Rat> Red Hat RPMs have RSA signatures because of the version of PGP
Rat> they use.

(My comments are based on the current cvs src for rpm, if it makes any
difference.)

gpg does not support, in my tests, the options rpm uses when it calls
pgp. +myname, +batchmode, +verbose, +armor and -f must be translated;
getenv("PGPPASSFD") must be translated to --pashphrase-fd. In the
case of a verify, gpg requires --verify where rpm passes nothing.

While I would prefer to see rpm updated to call gpg directly, and rpm
users to only sign with gpg generated key pairs, we are not there yet;
backward compatability is still necessary. Especially until RHCN can
handle non RSA keys for sigs.

Making the installation of pgp unnecessary is at least a step in the
right direction.

- -JimC
- --
mJames H. Cloos, Jr. <http://www.jhcloos.com/cloos/pgp_public_key.txt>
<cloos@jhcloos.com> E9E9 F828 61A4 6EA9 0F2B 63E7 997A 9F17 ED7D AEA6


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v0.9.0 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE2iUcymXqfF+19rqYRAsbRAKCYDrDiyA4sef8qCE+mOl7IeRmccwCeO0wP
WM2ahXgoV2ApjxH0RsVFTjw=
=7Fpg
-----END PGP SIGNATURE-----

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal