Is package metadata stored in DB signed or not?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



I have a question about security of installed package metadata. The
idea is to use rpm -V for security audit, and I need to understand, if
file checksums in the rpm database can be trusted. I don't know, what
exact metadata is signed inside the package, and is this signature
stored after package installation. If the database keeps only unsigned
checksums, they can be altered, and rpm -V cannot be considered
suitable for our purposes.

       Dmitry Mikhirev

Attachment: pgpTu6WFXy4iV.pgp
Description: Цифровая подпись OpenPGP

Rpm-list mailing list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux