> Is there any way to fully encapsulate gpg keychecking? As in, have yum > always check gpg signatures and never tell you about it unless they fail > to match? Or is there something chicken-and-eggish about this... Chicken-and-eggish. 1. you don't know which keys to trust 2. you don't know where to get the keys necessarily 3. you never know what whack stuff get installed. > Forgive me if it already does this. > > As for output in yum list, a column with Y/N/NA in it for yes, gpg key > checks, no it fails, or not applicable, no key available might be a > decent option to have, as might a flag to tell it to list only packages > whose key is n,na, or just n. Those commands might play a useful role > in a security audit or a what's wrote with this damn system audit, > presuming of course that one can trust yum itself on a compromised > system. > Can't happen if you look at anaconda. Anaconda can't check gpg sigs b/c it would have to know who to ask for the keys, and it can't really do that. Additionally, we'd have to trust all the pkgs already installed b/c afaict there is no way to check the gpg sig of a package that is installed. Right now with rpm 4.2 gpg key importing is trivial. absolutely trivial. So there is little excuse for not grabbing a key and using it. even if yum doesn't implement 'yum importkey' it's still a trivial operation - literally one command with rpm. -sv
