[packman] does packman have a new key or what is going on?

S. sb56637 at gmail.com
Fri Oct 29 15:34:29 CEST 2021


On Fri Oct 29 08:28:36 CEST 2021 Stefan Seyfried wrote:
> probably rpm needs to be fixed to again accept keys that were totally fine before the update.
> 
> So I'd suggest filing a bug against 15.3 rpm package.

I very much agree with you that this appears to be an unnecessary problem caused by rpm. But I suspect that a bug report will lead to a response that it's working as designed:
https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222
> *Reject unimplemented critical PGP packets as per RFC-4880*
>> Bit 7 of the subpacket type is the "critical" bit.  If set, it denotes that the subpacket is one that is critical for the evaluator of the signature to recognize.  If a subpacket is encountered that is marked critical but is unknown to the evaluating software, the evaluator SHOULD consider the signature to be in error.

So it appears that the evaluating software (rpm) is obeying the spec and appropriately failing, whereas zypper isn't obeying it by virtue of being less strict. Especially given the hostility that so many openSUSE graybeards show toward Packman (and I can't find any other keys that rpm is rejecting in this way) I don't see openSUSE fixing this unfortunately.

To me the easiest solution seems to be just creating a new key for Packman. Users will get a prompt, but that will be the end of the problem, and as it is they're already getting loads of errors about the problematic key as mentioned in this thread.

It also appears that it's possible to somehow remove the "critical" bit from a specific location in the key, thus "repairing" it and allowing to keep using the same key.
https://1password.community/discussion/comment/615922/#Comment_615922
> Yesterday we published a fixed version of the PGP key that now works with the newer version of RPM. It's the same key, but we were able to remove the packets that RPM no longer supports.



More information about the Packman mailing list