I would like to programmatically check if a RPM package is (1) signed (has a signature) and (2) the key used to sign is trusted.
[root]$ rpm -qi setup
Name : setup
Signature : RSA/SHA1, Wed 02 Oct 2013 05:15:22 AM MDT, Key ID 0946
[root]$ rpm -qi testing
Name : testing
Signature : (none)
I'm browsing the librpm API but I don't see any public methods allowing signature verification on already installed packages.
# This requires a file descriptor
rpmcli.h:rpmVerifySignatures
# This also requires a file descriptor
rpmlib.h:rpmReadPackageFile
Digging further I see:
# This uses a callback `qva_showPackage` which gives (QVA_t, rpmts, Header)
rpmcli.h:rpmcliVerify
But I cannot seem to get RPM tags (RPMTAG_SHA1HEADER) from the Header passed in by the callback. If I could get these tags then it would make sense to call into rpmpgp.h:pgpVerifySig to verify the signature.
Edit:
I see the bulk of the signature verification work is done in a static method rpmchecksig.c:rpmpkgVerifySigs which is only available through rpmcli.h:rpmVerifySignatures. But this method requires a file descriptor. Is there a way to get a FD from an already installed package to be able to use this method?
RPM will verify header-only signatures when retrieving from an rpmdb if enabled through various mode-specific %_vsflags* settings. See /usr/lib/rpm/macros for values.
You will see the verification if you do, say, "rpm -Vvv bash". You can also enable the header-only signature verification on --query (or other) rpm modes by changing specific macros.
There is a means (but not a specific call) to retrieve the header plaintext, the header-only signature, and the pubkey if you wish to verify external to rpm.