Diese Website existiert nur weil wir Werbung mit AdSense ausliefern.
Bitte den AdBlocker daher auf dieser Website ausschalten! Danke.

... possible rejecting rpms without or unknown signature?

Alles rund um die Installation Eures Linuxsystems, sowie die Updatefunktionen des Systems und das Paketmanagement

Moderator: Moderatoren

Antworten
Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

... possible rejecting rpms without or unknown signature?

Beitrag von Martin1802 » 21. Mär 2005, 13:58

Hi :-)

I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(

Please help
Martin

Werbung:
Grothesk
Ultimate Guru
Ultimate Guru
Beiträge: 14662
Registriert: 26. Okt 2003, 11:52
Wohnort: Köln

Beitrag von Grothesk » 21. Mär 2005, 14:24

Do you speak german?

Here is a how-to in german:
http://www.linux-club.de/viewtopic.php?t=24634

In short:
In etc/apt/apt.conf.d/gpg-checker.conf
change "GPG::Check true" to "GPG::Check false" to enable checks and vice versa.

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: ... possible rejecting rpms without or unknown signature

Beitrag von oc2pus » 21. Mär 2005, 14:31

Martin1802 hat geschrieben:I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(
hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

Re: ... possible rejecting rpms without or unknown signature

Beitrag von Martin1802 » 22. Mär 2005, 15:14

Hi oc2pus,

sorry for my question again ... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...

Yes it's a little much hope, but hope to get it :-)

THANKS
Martin
oc2pus hat geschrieben:
Martin1802 hat geschrieben:I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(
hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: ... possible rejecting rpms without or unknown signature

Beitrag von oc2pus » 26. Mär 2005, 01:43

Martin1802 hat geschrieben:... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...
First step:
the file /etc/apt/apt.conf.d/gpg-checker.conf should be modified to:

Code: Alles auswählen

// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;
and your apt will accept only pgp-signed packages.

Second Step:
include the Repository rpmkeys in your /etc/apt/sources.list
example:

Code: Alles auswählen

rpm ftp://ftp.gwdg.de/pub/linux/suse/apt/ SuSE/9.2-i386 rpmkeys
Third step:
run apt update to reflect modifications of your sources.list

Fourth step:
install the gpg-key of all People creating packages for SuSE
apt install rpmkey-*

From now on, no unsigned package should be installed :)
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

thanks ... but :-)

Beitrag von Martin1802 » 31. Mär 2005, 17:59

Hi oc2pus ...

THANKS for you detailed description ... but that's what the standard install from http://linux01.gwdg.de/apt4rpm/ howto and info does ...

... every "apt update & apt upgrade" or "apt update & apt dist-upgrade" does this by default :-) but only warns me that there are several rpm-packages with unknown or unsigned signature ... that's the problem ... apt only warns me and says "coeld not update because unknown signatues / unsigned packages" ... but rpmkeys repository /keyrpms are installed ... my question now again is (maybe I'm not accurate enough before):

How ist it possible to reject packages (ignore in update process) without or unknown signature ... check the signatures for upgradeable rpms on installed / existing rpmkeys and ignore packages (for dependencies although) with unknown signatures / unsigned packages ... NOT ignore signature checking generally with "GPG::Check no;" !!!

Thanks and hope to have done a more (not confusing) description what I want to do
Martin

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Beitrag von oc2pus » 31. Mär 2005, 18:59

Does this mean, that you could install unsigned packages even the flag is set to true in your gpg-checker.conf file ?

Normally this results in an error.
Here is an example, I've built two packages without signature and try to install them....

Code: Alles auswählen

apt install /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm
Lese Paketlisten... Fertig
Erzeuge Abhängigkeitsbaum... Fertig
Selecting libchipcard2-devel for '/home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm'
Selecting libchipcard2 for '/home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm'
Die folgenden NEUEN Pakete werden installiert werden:
  libchipcard2 libchipcard2-devel
0 upgraded, 2 newly installed, 0 entfernt und 6 nicht upgegradet.
Muss 0B/414kB an Archiven holen.
Nach dem Auspacken werden 1667kB zusätzlicher Plattenplatz benutzt werden.
Checking GPG signatures...
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
E: Error(s) while checking package signatures:
2 unsigned package(s)
0 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures
E: Handler silently failed
and NOTHING is installed ...

here is my gpg-checker.conf

Code: Alles auswählen

// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;
which SuSE-Version are you using ?
which apt, apt-libs versions ?

check also with apt-config dump the following option:

Code: Alles auswählen

Scripts::PM::Pre:: "gpg-checker.lua";
this option triggers the execution of the gpg-checker script ...

a list of all possible options can be found in /usr/share/doc/packages/apt/examples/configure-index

hope this helps ...
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

no ... no install but warning ... resulting in NOinstall

Beitrag von Martin1802 » 31. Mär 2005, 20:04

Hi oc2pus,

no ... sorry for my - maybe - misexplenation ... there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...

I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!

Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?

Am I right that this is script (.lua) is run in preparation step of apt(-get)?

Thanks
Martin

--------------------------
]
74,8MB in 10m30s (119kB/s) geholt
Checking GPG signatures...
Unknown signature /var/cache/apt/archives/xorg-x11-libs_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-extra_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-postscript_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-tex_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/openldap2-client_2.2.24-0.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/libsmbclient_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/samba-winbind_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba-client_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/shared-mime-info_0.15-0.appleonkel.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#91b17afd)
Unknown signature /var/cache/apt/archives/xorg-x11_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5(GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server-glx_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-devel_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-kamera_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tk_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tcl_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/wine_20050310-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0175623e)
Unknown signature /var/cache/apt/archives/xorg-x11-Xvnc_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-75dpi_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-scalable_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
E: Error(s) while checking package signatures:
8 unsigned package(s)
16 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures

--------------------------

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: no ... no install but warning ... resulting in NOinstall

Beitrag von oc2pus » 31. Mär 2005, 20:20

Martin1802 hat geschrieben:no ... sorry for my - maybe - misexplenation ...
no problem, I'm not a native english speaker :)
Martin1802 hat geschrieben:there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...
now I got you .. that's right - the strategy is all or nothing at the moment.
Martin1802 hat geschrieben:I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!
perhaps this should be a feature request for the apt-rpm mailing list.
http://distro2.conectiva.com.br/mailman ... fo/apt-rpm
https://lists.sourceforge.net/lists/lis ... t4rpm-suse
Martin1802 hat geschrieben:Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?
if you're able to program lua-scripts, that would fix it ...
Martin1802 hat geschrieben:Am I right that this is script (.lua) is run in preparation step of apt(-get)?
IMHO yes. The script is running before passing anything to rpm.
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Antworten