On 04/18/2012 10:35 AM, George Machitidze wrote:
You are right, package is not signed with key, but -K says it's fine. RHEL 5 x86_64, up2date, no modifications. Strange...
Yup, rpm's notion of "signature" is not what you might expect: both digests and actual signatures are "signatures" to rpm, and since the package appears intact (ie its digest matches content), 'rpm -K' finds nothing to complain about. To put it another way, 'rpm -K' verifies the items it finds, but it does not require package to be actually signed to pass.
As for the original question of having rpm enforce "signed packages only" policy for install/upgrade, its not possible currently. Rpm does by default check signatures (unless disabled via switches or the _vsflags* configuration) when reading packages, but the only enforcing it does by itself is on explicit signature/digest verify failure (kinda similar to the 'rpm -K' case). Yum behaves somewhat differently though
- Panu - _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
