Hi Arturo Borrero Gonzalez píše v St 29. 03. 2017 v 14:23 +0200: > Package: rpm > Version: 4.12.0.2+dfsg1-1 > Severity: important > > Dear Maintainer, > > thanks for your work with the rpm package, it's really appreciated. > > When running rpmsign to add a signature to a rpm package, it seems to > accept every password without complaint: > > % rpmsign --addsign myrpm.rpm > Enter pass phrase: > [ wrong password ] > > % echo $? > 0 > > I don't know if this means that rpmsign is not able to read my config > and therefore doesn't do anything. > > But still, the result is the same using either a good or a wrong > password, > which is a bit surprising.
The whole thing is caused by newer gpg which does use gpg-agent preferably and probably doesn't read the passphrase from rpm at all (at least in default configuration). I've done some quick tests the passphrase passed from RPM is not used at all, gpg always asks gpg-agent and it most likely had the passphrase cached in your case, so the signing did succeed. In case you give wrong passphrase to the agent, it fails as expected: $ rpmsign --addsign libgsmsd8-1.38.1-4.1.i586.rpm Enter pass phrase: gpg: signing failed: Bad passphrase gpg: signing failed: Bad passphrase Pass phrase check failed or gpg key expired $ echo $? 1 In rpm 4.13 the passphrase is not asked at all: https://github.com/rpm-software-management/rpm/commit/0bce5fcf270711a2e 077fba0fb7c5979ea007eb5 I can try backporting this patch (excluding API change), but as the issue is not really severe I'm not sure it's good enough for freeze exception... -- Michal Čihař | https://cihar.com/ | https://weblate.org/
signature.asc
Description: This is a digitally signed message part
