A cast of thousands.... wrote: Most people think that yes is the right answer. The question is how to get there without compromising the RH key management and slowing the process. > > > If Red Hat can use one of these methods, they can easily do both (It's > > > seems). ..... > Since rawhide have some unsigned packages I like to know which package > is not signed and I sign them with my key (so yum always have > "gpgcheck=1") : > I mirror rawhide in the i386 directory with rsync, and then I sign > package that miss gpg. > Note, I don't sign (that is, change) any package in i386 directory > (rsync does not like this). The comment about rsync is interesting. The question may be: How does rsync like a package being signed or better yet resigned at some later time? As I understand it the gpg signature is a modest structure and resigning an rpm does not so badly mess up a file that rsync cannot optimize the change as long as the keys have the same length. To test I picked on something big and network rude to change and test. Thus... Grab the original and make a copy. $ cp /var/spool/up2date/openoffice.org-1.1.2-10.fc2.src.rpm . $ ls -l up2date/openoffice.org-1.1.2-10.fc2.src.rpm .... 179025625 Oct 22 09:04 openoffice.org-1.1.2-10.fc2.src.rpm $ cp openoffice.org-1.1.2-10.fc2.src.rpm bar.rpm Now resign the original $ rpm --resign openoffice.org-1.1.2-10.fc2.src.rpm Enter pass phrase: Pass phrase is good. openoffice.org-1.1.2-10.fc2.src.rpm: Now compare the two files. $ cmp -l openoffice.org-1.1.2-10.fc2.src.rpm bar.rpm | wc 108 324 1944 Looking at the output of cmp Bytes 231--417 change Check and rpm does the expected. $ rpm -Kv openoffice.org-1.1.2-10.fc2.src.rpm bar.rpm openoffice.org-1.1.2-10.fc2.src.rpm: Header V3 DSA signature: NOKEY, key ID 0f31a698 Header SHA1 digest: OK (2d788eccf1c994a88303fbc9a3e4efbed3d1525a) MD5 digest: OK (1f472d22bc7042d386fb603babbadee7) V3 DSA signature: NOKEY, key ID 0f31a698 bar.rpm: Header V3 DSA signature: OK, key ID 4f2a6fd2 Header SHA1 digest: OK (2d788eccf1c994a88303fbc9a3e4efbed3d1525a) MD5 digest: OK (1f472d22bc7042d386fb603babbadee7) V3 DSA signature: OK, key ID 4f2a6fd2 This tells me that any personal package builder key can be used and later the dude with the big key can resign the packages with little network impact. Unimported keys like mine will look like NOKEY line above. SHA1 header is a constant as is MD5. Later in the day or on Monday morning.... The guy with the big key ring can verify that the package was signed by someone he knows and resign it with a famous rawhide key. This way all packages will always be signed. This way the famous RH rawhide key has a very short list of keepers. This way modest changes by resigning can be propagated by rsync. This way packages can get signed by RH eventually. Those of us that are impatient can install a package --nosig as we do today even if the engineer signatures are not published. What did I miss beyond the detail that not all the world uses rsync for mirrors. -- T o m M i t c h e l l May your cup runneth over with goodness and mercy and may your buffers never overflow.