• Willkommen im Linux Club - dem deutschsprachigen Supportforum für GNU/Linux. Registriere dich kostenlos, um alle Inhalte zu sehen und Fragen zu stellen.

... possible rejecting rpms without or unknown signature?

Hi :)

I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(

Please help
Martin
 

Grothesk

Ultimate Guru
Do you speak german?

Here is a how-to in german:
http://www.linux-club.de/viewtopic.php?t=24634

In short:
In etc/apt/apt.conf.d/gpg-checker.conf
change "GPG::Check true" to "GPG::Check false" to enable checks and vice versa.
 

oc2pus

Ultimate Guru
Martin1802 schrieb:
I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(

hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561
 
OP
M

Martin1802

Member
Hi oc2pus,

sorry for my question again ... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...

Yes it's a little much hope, but hope to get it :)

THANKS
Martin

oc2pus schrieb:
Martin1802 schrieb:
I'm terrible sad because I could not find an option for rejecting packages without or unknown signature ... any option for apt.conf or commandline availble ... read the docs / manpages / forum threads ...

... I'm sure there is one but could not find it in docs :-(

hm, I'm a little bit confused ... in this thread you've already posted the answer to your question:
http://www.linux-club.de/viewtopic.php?t=14561
 

oc2pus

Ultimate Guru
Martin1802 schrieb:
... I know that posting and your answer ... but I'm not really sure what you mean or how to handle that ... I read the docs and could not really find a useful information - maybe I'm tooo stupid -

I know that file "/etc/apt/apt.conf" and "/etc/apt/.conf" ... but could not find something making rules with criteria "reject if not pgpsigned" or "reject with unknownsignature"

Is it possible to give me a little more specific informations or maybe a hint or a direct "link" to the docs ...

First step:
the file /etc/apt/apt.conf.d/gpg-checker.conf should be modified to:
Code:
// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;
and your apt will accept only pgp-signed packages.

Second Step:
include the Repository rpmkeys in your /etc/apt/sources.list
example:
Code:
rpm ftp://ftp.gwdg.de/pub/linux/suse/apt/ SuSE/9.2-i386 rpmkeys

Third step:
run apt update to reflect modifications of your sources.list

Fourth step:
install the gpg-key of all People creating packages for SuSE
apt install rpmkey-*

From now on, no unsigned package should be installed :)
 
OP
M

Martin1802

Member
Hi oc2pus ...

THANKS for you detailed description ... but that's what the standard install from http://linux01.gwdg.de/apt4rpm/ howto and info does ...

... every "apt update & apt upgrade" or "apt update & apt dist-upgrade" does this by default :) but only warns me that there are several rpm-packages with unknown or unsigned signature ... that's the problem ... apt only warns me and says "coeld not update because unknown signatues / unsigned packages" ... but rpmkeys repository /keyrpms are installed ... my question now again is (maybe I'm not accurate enough before):

How ist it possible to reject packages (ignore in update process) without or unknown signature ... check the signatures for upgradeable rpms on installed / existing rpmkeys and ignore packages (for dependencies although) with unknown signatures / unsigned packages ... NOT ignore signature checking generally with "GPG::Check no;" !!!

Thanks and hope to have done a more (not confusing) description what I want to do
Martin
 

oc2pus

Ultimate Guru
Does this mean, that you could install unsigned packages even the flag is set to true in your gpg-checker.conf file ?

Normally this results in an error.
Here is an example, I've built two packages without signature and try to install them....
Code:
apt install /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm
Lese Paketlisten... Fertig
Erzeuge Abhängigkeitsbaum... Fertig
Selecting libchipcard2-devel for '/home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm'
Selecting libchipcard2 for '/home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm'
Die folgenden NEUEN Pakete werden installiert werden:
  libchipcard2 libchipcard2-devel
0 upgraded, 2 newly installed, 0 entfernt und 6 nicht upgegradet.
Muss 0B/414kB an Archiven holen.
Nach dem Auspacken werden 1667kB zusätzlicher Plattenplatz benutzt werden.
Checking GPG signatures...
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
Unsigned /home/toni/packages/RPMS/i586/libchipcard2-devel-1.9.12beta-0.oc2pus.1.i586.rpm: sha1 md5 OK
E: Error(s) while checking package signatures:
2 unsigned package(s)
0 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures
E: Handler silently failed
and NOTHING is installed ...

here is my gpg-checker.conf
Code:
// Make GPG::Check no; to disable gpg checking
// It can still be used in combination with --checksig
GPG::Check true;
Scripts::PM::Pre:: gpg-checker.lua;

which SuSE-Version are you using ?
which apt, apt-libs versions ?

check also with apt-config dump the following option:
Code:
Scripts::PM::Pre:: "gpg-checker.lua";
this option triggers the execution of the gpg-checker script ...

a list of all possible options can be found in /usr/share/doc/packages/apt/examples/configure-index

hope this helps ...
 
OP
M

Martin1802

Member
Hi oc2pus,

no ... sorry for my - maybe - misexplenation ... there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...

I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!

Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?

Am I right that this is script (.lua) is run in preparation step of apt(-get)?

Thanks
Martin

--------------------------
]
74,8MB in 10m30s (119kB/s) geholt
Checking GPG signatures...
Unknown signature /var/cache/apt/archives/xorg-x11-libs_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa-devel_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-extra_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-postscript_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-tex_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/openldap2-client_2.2.24-0.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/libsmbclient_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/xorg-x11-Mesa_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/samba-winbind_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/samba-client_3.0.13-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#414a57c3)
Unknown signature /var/cache/apt/archives/shared-mime-info_0.15-0.appleonkel.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#91b17afd)
Unknown signature /var/cache/apt/archives/xorg-x11_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5(GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-server-glx_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unsigned /var/cache/apt/archives/kdegraphics3-devel_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/kdegraphics3-kamera_3.4.0-13_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tk_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unsigned /var/cache/apt/archives/tcl_8.4.9-1.1_i586.rpm: sha1 md5 OK
Unknown signature /var/cache/apt/archives/wine_20050310-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0175623e)
Unknown signature /var/cache/apt/archives/xorg-x11-Xvnc_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-75dpi_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
Unknown signature /var/cache/apt/archives/xorg-x11-fonts-scalable_6.8.2-0.1_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#0dd8616d)
E: Error(s) while checking package signatures:
8 unsigned package(s)
16 package(s) with unknown signatures
0 package(s) with illegal/corrupted signatures

--------------------------
 

oc2pus

Ultimate Guru
Martin1802 schrieb:
no ... sorry for my - maybe - misexplenation ...
no problem, I'm not a native english speaker :)

Martin1802 schrieb:
there is no way to install any package - GPG::Check true - if only one package is unsigned or has unknown key ... gpg-checker.lua works right well ...
now I got you .. that's right - the strategy is all or nothing at the moment.

Martin1802 schrieb:
I'm searching a methode of checking the signature of rpms, but ignore all unsigned rpms or rpms with unknown signature for "apt upgrade" or "apt dist-upgrade" process and solving dependencies ... the thing is only installing signed rpms with known signature !!!
perhaps this should be a feature request for the apt-rpm mailing list.
http://distro2.conectiva.com.br/mailman/listinfo/apt-rpm
https://lists.sourceforge.net/lists/listinfo/apt4rpm-suse

Martin1802 schrieb:
Maybe there's a way to modify the gpg-checker.lua ... is it possible to modify the filelist (for upgrade/dist-upgrade) which is given to gpg-checker.lua ... delete rpms ind list with unsigned / unknown signature rpms ... pass modified list back to apt?
if you're able to program lua-scripts, that would fix it ...

Martin1802 schrieb:
Am I right that this is script (.lua) is run in preparation step of apt(-get)?
IMHO yes. The script is running before passing anything to rpm.
 
Oben