On Fri, 5 Nov 2004, seth vidal wrote: > > The current model is that they're all the same. Look at our tools; look > > at yum and up2date. They don't know anything about which key is which, > > just which key you've said you trust (not even what you trust it for, or > > how much). The only real difference, and certainly the only one in the > > minds of the vast majority of our users, is that one comes in rpm's key > > list by default and one does not. What in rpm's key list by default? I thought the user does an explicit 'rpm --import' > An RFE for yum has been to provide a list of gpg keyids that are valid > per-repository. > > So then the gpgcheck process would be: > > 1. check if the sig exists > 2. check if the sig is valid > 3. if both are true, check to see if the keyid matches on the allowed > keyid for packages from that repo. A couple of questions here. - What key is used for this purpose (to sign the metadata)? - Where does the user store this public key? - What prevents the clueless users from having the same expecation from a gpg-signed metada-repo as they have with gpg-signed packages? thanks, Satish