[OpenAFS] OpenAFS release 1.6.21 available

Garance A Drosehn drosih@rpi.edu
Fri, 11 Aug 2017 17:26:25 -0400 

On 11 Aug 2017, at 15:47, Jan Iven wrote:

> On 11/08/17 21:39, Garance A Drosehn wrote:
>>
>> Ah, thanks!  I had guessed that it might be his PGP key that I
>> needed, but the only keyserver that my GPG Keychain application
>> searches is hkp://keys.gnupg.net , and his key did not show up
>> there.
>>
>> Hmm.  Actually keys.gnupg.net *does* know about his key, but did
>> not show it to me because it lists the key as expired, and I had
>> the key-search avoid any keys which are revoked or expired.
>> [...]
>>
>> And when I run the source-rpm through rpm with that key, I still
>> see the warning "... Signature, key ID 9e590f86: NOKEY".
>>
>> It often takes me multiple times to do anything with PGP keys, so
>> maybe I'm still doing something wrong here?  Especially since I'm
>> getting the message "Oops: keyid_from_fingerprint: no pubkey" .
>
>
> I think you'll need to download the ASCII version of his public
> key, and provide the file to "rpmkeys --import".

That is basically what I did, except I did it through the program
that https://gpgtools.org provides for macOS, called GPG keychain.
That has worked for other keys that I've added to my pubring.

Also, once I told GPG keychain to show me keys which have expired, then
I could find the same key through hkp://keys.gnupg.net.  And after
updating the key from hkp://keys.gnupg.net , the result was the same.

> But please note that while verifying source integrity is a good
> idea, you do not need to install the source RPM. You download
> (+verify: "rpmkeys --checksig") + recompile it, and the resulting
> binary RPMs will be not signed (unless you sign them yourself).

I'm not looking to sign the binary RPM's (although I should learn
to do that!).  I just want to be sure that the source-RPM that I
downloaded really is the one that OpenAFS.org has released.  And
that someone hasn't replaced it with a different source-RPM which
*they* signed with *their* PGP key.

I'm not sure why, but today I got to thinking that I should be more
paranoid about that verifying the pgp key as long as someone is
taking the trouble to sign it.  I tried the above verify command,
and the output is:

   rpmbuild/SRPMS/openafs-1.6.21-1.el7.src.rpm: sha1 md5 OK

But I *think* that just tells me that the RPM is the same as it
was when it was signed.  But it doesn't tell me who signed it.

Apologies for all the extra noise here.  It may be that I am
not understanding something about RPM's which is very obvious
to anyone who has more experience with linux than I do.

Also, fwiw, I'm using the source-RPM to build for RHEL7, not CentOS.
I'm trying to generate new binary-RPM's for the new RHEL7 kernel
that Redhat released last week.  And I'm having no trouble creating
those RPM's, but today I got to thinking that my first step should
be to verify the source-RPM that I start out with.  Not just that the
digests are valid, but that I know who it was that signed the rpm.

(FWIW, at this point I have generated the new binary RPM's, and
 they are working fine with the new RHEL7 kernel 3.10.0-693)

Thanks again for the replies.

-- 
Garance Alistair Drosehn                =     drosih@rpi.edu
Senior Systems Programmer               or   gad@FreeBSD.org
Rensselaer Polytechnic Institute;             Troy, NY;  USA