Replace gpgme by another Open PGP implementation

[j-mracek]

DNF5 indirectly requires gpgme thru librepo.

We use for GPG verification RPM API but additionally to that we need some features from GPG me

We verify RPMs and repository metadata

RPMs workflow

No planned changes in comparison to DNF4
Check RPM using GPG key from RPMDB, if it failed import new key and try again

Repository metadata workflow

We can improve user experience by using imported keys from RPM DB
Check metadata using GPG key from local user specific per repository location, if it failed check metadata using GPG key from rpm DB , if it failed import new key to local user specific location and try again with that source.

The question is whether gpg keys should be shared for all repositories in single key ring or whether they should live in specific directory like they do now.

• Investigate what is missing in RPM API
• Replace GPGME with RPM API

[m-blaha]

As far as I remember, one thing that is missing in RPM API is ability to extract information about the key (keyid, userid, fingerprint, and URL). This information is then presented to the user with confirmation question whether they want to import the key. So we temporarily used gpgme for this.

[nwalfield]

pgpDigParamsUserID can be used to get the User ID, pgpPubkeyFingerprint returns the fingerprint, and pgpPubkeyKeyID returns the Key ID. I don't know what you are thinking of with "URL." That's not standard, AFAIK.

[m-blaha]

It's quite possible that due to my inexperience with PGP I've called rpm API with incorrect inputs. I'll give it a try again.
As far ad URL is concerned - it's the URL the key was downloaded from. You are right that it's not part of the key itself, we store this info separately.

[jrohel]

Some time ago I extended the API for working with OpenPGP keys of the "librepo" library. It remained backwards compatible.
Then I removed the dependency on "GpgMe" from "libdnf5", instead the new code uses the "librepo" library API.

And now I am rewriting the OpenPGP support in the "librepo" library. I am removing the dependency on "GpgMe". I use library "librpm" instead.

So far I've run into these issues:

• pgpParsePkts function parses only first ascii-armor block OpenPGP: Function pgpParsePkts parses only first ascii-armor block rpm#2487
  I solved it by an ugly but working hack.

• pgpParsePkts function supports only "PGP PUBLIC KEY BLOCK" block. Parsing "PGP SIGNATURE" is needed and missing. OpenPGP: Function pgpParsePkts supports only "PGP PUBLIC KEY BLOCK" block, "PGP SIGNATURE" is needed rpm#2512
  I found it works with "rpm-sequoia" backend, the problem is with internal librpm implementation.

• pgpDigParamsUserID function returns only primary user id. OpenPGP: pgpDigParamsUserID function returns only primary user id. How to get others? rpm#2517
  Please, improve the API so that all user IDs can be retrieved.

• pgpDigParamsUserID return an empty string when "rpm-sequoia" backend is used. Internal "librpm" implementation returns user id.

• I can get key fingerprint using pgpPubkeyFingerprint function.
  But how to get fingerprint of subkey? RFE: Add an API for retrieving subkey fingerprint rpm#2516

• GpgMe provides a lot of information (attributes) about keys/subkeys - revoked, expired, can_sign, ....
  So far we have used can_sign in the librepo library. How to get this information via librpm API? OpenPGP: How to get can_sign info? rpm#2515

[nwalfield]

Hi, @jrohel,

Do you think these are issues with dnf5 or with rpm? If you think the issues are with rpm or rpm-sequoia, then it is probably better to open an issue in that project (and perhaps link to those issues from here). Also, I'd recommend opening a separate issue for each of your issues, and when possible include a reproducer. For instance, you mention that pgpDigParamsUserID returns an empty string when using rpm-sequoia. I took a quick look at the code, and this would happen when you pass an invalid certificate (according to the crypto policy). But, I can't tell if that is your problem. Thanks.

[nwalfield]

Check metadata using GPG key from local user specific per repository location, if it failed check metadata using GPG key from rpm DB , if it failed import new key to local user specific location and try again with that source.

FYI, @pmatilai notes

FWIW, you can already use a custom keyring populated from whatever source you like. Similarly it should be entirely possible to verify arbitrary files with the existing API. It may not be the nicest or sanest API but still, should be possible as-is.

[jrohel]

@nwalfield I wanted to note the status of the GpgMe replacement here. But you're right, I should report issues to the respective projects.