[colug-432] subkeys for rpm signing?

[R P Herrold]

On Thu, 21 Jun 2018, Jeff Frontz wrote:

> Has anyone had luck getting rpm to understand how to import the public
> portion of a subkey for use in verifying signatures?
> 
> I can get it to *sign* using a subkey -- but importing the corresponding
> public key results instead in the master/main key's public portion being
> added to the signature database (as indicated by

> rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}-%{RELEASE}\t%{SUMMARY}\n' )

based on long ago conversations with Jeff Johnson, who was 
then the (third and long time) maintainer:

1. x.509 keys and the discipline of supporting all variants of 
public and private key access signing are sufficiently 
complex, that it was not attainable with the engineering 
resources Red Hat was willing to expend without a patron

It is my recollection that it was 'priced out' for the US 
Government, who (probably properly)  concluded they could do 
without that full suite

so, it is probably just not supported

If one DID want to 'have fun storming the castle', you might 
want to consider 'is this trip necessary' compared to just 
generating and protecting (as in inserting it into a TPM HSM, 
which content in the TPM is in turn accessible only through a 
sub-key)

A validation that content was signed at a point in time, even 
seemingly in the present time, was formerly able to be fairly 
trivially circumvented.  A 'hacked' RPM that would validate on 
compromised content was seen 'in the wild', perhaps a decade 
ago. [1]

On a running system, it may be harder today to do so on an 
undetected basis (cgroups, SElinux protections if very tightly 
configured [and so, not with a stock RHEL / CentOS install), 
but it is certainly not impossible

-- Russ herrold

1. http://www.owlriver.com/projects/packaging/#compromises