Re: Should Fedora rpms be signed?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



> > An RFE for yum has been to provide a list of gpg keyids that are valid
> > per-repository.
> > 
> > So then the gpgcheck process would be:
> > 
> > 1. check if the sig exists
> > 2. check if the sig is valid
> > 3. if both are true, check to see if the keyid matches on the allowed
> > keyid for packages from that repo.
> 
> A couple of questions here.
> 
> - What key is used for this purpose (to sign the metadata)?
> - Where does the user store this public key?
> - What prevents the clueless users from having the same expecation from
>   a gpg-signed metada-repo as they have with gpg-signed packages?


This is just based on keys in your rpmdb.

The idea is this:

if you have 3 repos available to yum.

They are signed with 3 separate gpg keys. So you've imported all the
keys into your rpmdb. The whole point of the feature I described before
is so you can say:

the only packages I want from this repository are signed with _this_
key. If you get a package from this repository that is signed with any
other key, even if I have that key in my rpmdb, don't trust it.

-sv




[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]