Hello, I've a question about the key handling when using rpm --checksig. I assume the key ID is determined by reading the header of the rpm package. But how can I be sure that the key ID in the header is the one I want to check against? For example when I get an online update from my vendor it would be nice to have something like "rpm --checksig --keyid <vendor key id> <package>" to be sure the right key from the rpmDB/keyring was used for verification. Is something like that available or planned? Signature checks are done with external programs (pgp, gpg) so when, for example, gpg switches to SHA-1 256 (or above) will there be any problems regarding rpm? So in general, does rpm need to be modified to use alternative message digest algorithms? Thanks, Thomas -- Tom <tom@xxxxxxxxxxxxxxxxxx> fingerprint = F055 43E5 1F3C 4F4F 9182 CD59 DBC6 111A 8516 8DBF _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/rpm-list
