dnf trusts revoked public keys #1964
Labels
Priority: LOW
RFE
Request For Enhancement (as opposed to a bug)
Triaged
Someone on the DNF 5 team has read the issue and determined the next steps to take
Comments
|
Yes, it is so. DNF5 uses librpm for processing PGP packets. librpm uses Sequoia. To implement revoking keys in DNF5, the whole chain needs to understand PGP revocations certificates. As far as I know all the libraries only understand key certificates. |
|
This is specifically about a support for https://www.ietf.org/rfc/rfc4880.html#section-5.2.1:
|
ppisar
added
RFE
|
I opened a ticket against RPM rpm-software-management/rpm#3495 to see an opinion of RPM people. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Situation: I maintain a repo and sign it with my GPG key pair. The private key has been compromised, so I want to switch to a new key pair. Users should stop trusting the compromised key.
My actions: I revoke the old key and generate a new key pair. Then I export both public keys and replace the repo pubkey file.
My expectations: dnf imports the new public key and removes the revoked public key if it was imported earlier.
Actual behavior: dnf imports the new public key and does not touch the revoked public key if it was imported earlier. If the revoked key was not imported, it also imports this key.
The text was updated successfully, but these errors were encountered: