On 04/18/2012 10:35 AM, George Machitidze wrote:
You are right, package is not signed with key, but -K says it's fine. RHEL 5 x86_64, up2date, no modifications. Strange...
Yup, rpm's notion of "signature" is not what you might expect: both digests and actual signatures are "signatures" to rpm, and since the package appears intact (ie its digest matches content), 'rpm -K' finds nothing to complain about. To put it another way, 'rpm -K' verifies the items it finds, but it does not require package to be actually signed to pass.
As for the original question of having rpm enforce "signed packages only" system-wide policy for install/upgrade, its not possible currently. Rpm does by default check signatures (unless disabled via switches or the _vsflags* configuration) when reading packages, but the only enforcing it does by itself is on explicit signature/digest verify failure (kinda similar to the 'rpm -K' case). Yum does require signed packages if configured to do so, but that wont help rpm command line.
- Panu - _______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
