... possible rejecting rpms without or unknown signature?

Alles rund um die Installation Eures Linuxsystems, sowie die Updatefunktionen des Systems und das Paketmanagement

Moderator: Moderatoren

Antworten
Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

... possible rejecting rpms without or unknown signature?

Beitrag von Martin1802 » 21. Mär 2005, 13:58

Hi :-)

I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(

Please help
Martin

Werbung:
Grothesk
Ultimate Guru
Ultimate Guru
Beiträge: 14662
Registriert: 26. Okt 2003, 11:52
Wohnort: Köln

Beitrag von Grothesk » 21. Mär 2005, 14:24

Do you speak german?

Here is a how-to in german:
http://www.linux-club.de/viewtopic.php?t=24634

In short:
In etc/apt/apt.conf.d/gpg-checker.conf
change "GPG::Check true" to "GPG::Check false" to enable checks and vice versa.

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: ... possible rejecting rpms without or unknown signature

Beitrag von oc2pus » 21. Mär 2005, 14:31

Martin1802 hat geschrieben:I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(
hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

Re: ... possible rejecting rpms without or unknown signature

Beitrag von Martin1802 » 22. Mär 2005, 15:14

Hi oc2pus,

sorry for my question again ... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...

Yes it's a little much hope, but hope to get it :-)

THANKS
Martin
oc2pus hat geschrieben:
Martin1802 hat geschrieben:I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(
hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: ... possible rejecting rpms without or unknown signature

Beitrag von oc2pus » 26. Mär 2005, 01:43

Martin1802 hat geschrieben:... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...
First step:
the file /etc/apt/apt.conf.d/gpg-checker.conf should be modified to:

Code: Alles auswählen

// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;
and your apt will accept only pgp-signed packages.

Second Step:
include the Repository rpmkeys in your /etc/apt/sources.list
example:

Code: Alles auswählen

rpm ftp://ftp.gwdg.de/pub/linux/suse/apt/ SuSE/9.2-i386 rpmkeys
Third step:
run apt update to reflect modifications of your sources.list

Fourth step:
install the gpg-key of all People creating packages for SuSE
apt install rpmkey-*

From now on, no unsigned package should be installed :)
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

thanks ... but :-)

Beitrag von Martin1802 » 31. Mär 2005, 17:59

Hi oc2pus ...

THANKS for you detailed description ... but that's what the standard install from http://linux01.gwdg.de/apt4rpm/ howto and info does ...

... every "apt update & apt upgrade" or "apt update & apt dist-upgrade" does this by default :-) but only warns me that there are several rpm-packages with unknown or unsigned signature ... that's the problem ... apt only warns me and says "coeld not update because unknown signatues / unsigned packages" ... but rpmkeys repository /keyrpms are installed ... my question now again is (maybe I'm not accurate enough before):

How ist it possible to reject packages (ignore in update process) without or unknown signature ... check the signatures for upgradeable rpms on installed / existing rpmkeys and ignore packages (for dependencies although) with unknown signatures / unsigned packages ... NOT ignore signature checking generally with "GPG::Check no;" !!!

Thanks and hope to have done a more (not confusing) description what I want to do
Martin

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Beitrag von oc2pus » 31. Mär 2005, 18:59

Does this mean, that you could install unsigned packages even the flag is set to true in your gpg-checker.conf file ?

Normally this results in an error.
Here is an example, I've built two packages without signature and try to install them....

Code: Alles auswählen

apt install /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm
Lese Paketlisten... Fertig
Erzeuge Abhängigkeitsbaum... Fertig
Selecting libchipcard2-devel for '/home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm'
Selecting libchipcard2 for '/home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm'
Die folgenden NEUEN Pakete werden installiert werden:
  libchipcard2 libchipcard2-devel
0 upgraded, 2 newly installed, 0 entfernt und 6 nicht upgegradet.
Muss 0B/414kB an Archiven holen.
Nach dem Auspacken werden 1667kB zusätzlicher Plattenplatz benutzt werden.
Checking GPG signatures...
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
E: Error(s) while checking package signatures:
2 unsigned package(s)
0 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures
E: Handler silently failed
and NOTHING is installed ...

here is my gpg-checker.conf

Code: Alles auswählen

// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;
which SuSE-Version are you using ?
which apt, apt-libs versions ?

check also with apt-config dump the following option:

Code: Alles auswählen

Scripts::PM::Pre:: "gpg-checker.lua";
this option triggers the execution of the gpg-checker script ...

a list of all possible options can be found in /usr/share/doc/packages/apt/examples/configure-index

hope this helps ...
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Martin1802
Member
Member
Beiträge: 73
Registriert: 19. Sep 2004, 17:02
Wohnort: Konstanz
Kontaktdaten:

no ... no install but warning ... resulting in NOinstall

Beitrag von Martin1802 » 31. Mär 2005, 20:04

Hi oc2pus,

no ... sorry for my - maybe - misexplenation ... there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...

I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!

Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?

Am I right that this is script (.lua) is run in preparation step of apt(-get)?

Thanks
Martin

--------------------------
]
74,8MB in 10m30s (119kB/s) geholt
Checking GPG signatures...
Unknown signature /var/cache/apt/archives/xorg-x11-libs_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-extra_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-postscript_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-tex_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/openldap2-client_2.2.24-0.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/libsmbclient_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/samba-winbind_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba-client_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/shared-mime-info_0.15-0.appleonkel.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#91b17afd)
Unknown signature /var/cache/apt/archives/xorg-x11_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5(GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server-glx_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-devel_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-kamera_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tk_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tcl_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/wine_20050310-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0175623e)
Unknown signature /var/cache/apt/archives/xorg-x11-Xvnc_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-75dpi_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-scalable_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
E: Error(s) while checking package signatures:
8 unsigned package(s)
16 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures

--------------------------

Benutzeravatar
oc2pus
Ultimate Guru
Ultimate Guru
Beiträge: 6506
Registriert: 21. Jun 2004, 13:01

Re: no ... no install but warning ... resulting in NOinstall

Beitrag von oc2pus » 31. Mär 2005, 20:20

Martin1802 hat geschrieben:no ... sorry for my - maybe - misexplenation ...
no problem, I'm not a native english speaker :)
Martin1802 hat geschrieben:there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...
now I got you .. that's right - the strategy is all or nothing at the moment.
Martin1802 hat geschrieben:I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!
perhaps this should be a feature request for the apt-rpm mailing list.
http://distro2.conectiva.com.br/mailman ... fo/apt-rpm
https://lists.sourceforge.net/lists/lis ... t4rpm-suse
Martin1802 hat geschrieben:Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?
if you're able to program lua-scripts, that would fix it ...
Martin1802 hat geschrieben:Am I right that this is script (.lua) is run in preparation step of apt(-get)?
IMHO yes. The script is running before passing anything to rpm.
tell people what you want to do, and they'll probably help you to do it.
PackMan
LinWiki : Das Wiki für Linux User

Antworten

Wer ist online?

Mitglieder in diesem Forum: 0 Mitglieder und 1 Gast