Re: Force RPM to check GPG key

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On 04/18/2012 10:35 AM, George Machitidze wrote:
You are right, package is not signed with key, but -K says it's fine. RHEL
5 x86_64, up2date, no modifications. Strange...

Yup, rpm's notion of "signature" is not what you might expect: both digests and actual signatures are "signatures" to rpm, and since the package appears intact (ie its digest matches content), 'rpm -K' finds nothing to complain about. To put it another way, 'rpm -K' verifies the items it finds, but it does not require package to be actually signed to pass.

As for the original question of having rpm enforce "signed packages only" policy for install/upgrade, its not possible currently. Rpm does by default check signatures (unless disabled via switches or the _vsflags* configuration) when reading packages, but the only enforcing it does by itself is on explicit signature/digest verify failure (kinda similar to the 'rpm -K' case). Yum behaves somewhat differently though

	- Panu -
_______________________________________________
Rpm-list mailing list
Rpm-list@xxxxxxxxxxxxx
http://lists.rpm.org/mailman/listinfo/rpm-list


[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux