-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
On 2016-06-17 21:22, Andrew David Wong wrote:
> On 2016-06-17 18:02,
raah...@gmail.com wrote:
>> But what if when it says it can't verify key ignatures possibly?
>> Will it automatically hit Y to continue? I wouldn't like that.
>> Or what about any possible error messages? I still like to see
>> the text on the screen.
>
>
> The last time this question came up, the answer was "no, it would
> not automatically say 'yes' to installing a package whose signature
> cannot be verified."
>
> If that turns out to be false, then I'll have to assume that all of
> my templates are compromised.
>
I decided to test this, just to make sure. Here's how I tested:
1. Installed fedora-23-minimal from the Qubes repos.
2. Inside fedora-23-minimal, renamed all the keys in /etc/pki/rpm-gpg.
3. Erased all keys that had been imported in rpm with this command:
#rpm -e --allmatches gpg-pubkey-{hash}
(Repeated for each gpg-pubkey-{hash}.)
4. From dom0, ran this command:
$ qvm-run -a -p -u root fedora-23-minimal 'dnf -y upgrade'
5. Received this output from the template during the attempted upgrade:
warning: /var/cache/dnf/updates-e042e478e0621ea6/packages/sqlite-
libs-3.11.0-3.fc23.x86_64.rpm: Header V3 RSA/SHA256 Signature, key
ID 34ec9cba: NOKEY
Curl error (37): Couldn't read a file:// file for file:///etc
/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64 [Couldn't open file
/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-23-x86_64]
So, it looks like using the '-y' (assumeyes) option is indeed safe as
far as PGP/GPG signature verification on packages is concerned.
If anyone has reason to suspect otherwise, or sees a flaw in this
test, please do let us know.
iQIcBAEBCgAGBQJXZQlPAAoJENtN07w5UDAwl8wP/2hMicgBQDzzpDZtCxFy2Nkn
cdsMJZU3c8YpaqHqLyjoDrP26khdFF7Fjmpq8flLP4JqU7cRP6e8gQt9WAGIp9hM
9cEpvx93g1CDXhJgBTmP0Pc8tu/U1VzYhhcCzqsgDcAtK6K/tch4T1SKoTVkMbwr
+JbQYx826g/wUiwbGwaNBIZExfnu0cKhVK/4iwvuKUSpTNA5LUnMIZlmr3e6mpWy
gwyh0EFOMx9mwQ7gPvha60U/QN/skKDBHJeNjeuWm8IiucDIndrfS4FPhJcmFwbh
zN8aiNWQ/XFo0y9xXD5yf8nJEoI5/jidnkoyCiJA7Q5FxgDuB0jHOCJsSX1ExtOJ
w/Vo0jk9NSyUIRSVpuJpLEV/w9RkuPkUZ4Lxqp5ck8Na00FgVjc6wlYkS+imcng0
rEdutSRtDMlO8bjxCSSYdsMxWTHtd8DZjwzkAf2/c0ss8adEvM/9/GwpglJNSAoL
WDVuMEQXfkrc1xcA7kh0TOHQ7b2Av+Ya0pzb7e9uPFGU6HsO50qkkXR0XNPfGrAy
1QUSHUsODgc9dSpfX9epaml41uUu1+/z/TULBVJ5l9W0XD8hXcDuPVXHq9ySRQ/o
s7biEIG2ImTiw5icKY4gQeiHh9KqDfIIpeGDdvKYZOOp2UHlMoKIvjVdzF1wwk0s
PmobBE37547Lu3xmX5Pl
=Lq0y
-----END PGP SIGNATURE-----