Force RPM to check GPG key

Greg Swift gregswift at gmail.com
Tue Apr 17 13:38:23 UTC 2012 

I figured that would be the case.

JJ just told me that --checksig only gets run separate from --install,
which seemed kinda silly to me until he pointed out that this is
because rpm is configuredby default  to check headers+payload against
signature if possible.

So by default it is supposedly doing this already, it is just an 'if
possible' scenario.  So if you don't have a key to verify against it
just moves forward, would be my understanding.

I did look in `rpm --showrc` for any value that might seem to force
this but was unable to locate one (I didn't look at each value, just
tried several greps).  JJ suggested i dig through /usrlib/rpm/macros
and in there I found vsflags.   The default value is 0xf0000 which
means if set, check header+payload (if possible).  If you look in this
file you can see the options and if you have a better config you can
set it in a macro file over in /etc/rpm.  Would have been nice if the
variable name was a bit more descriptive for the sake of grep but such
is life i guess.

-greg

On Tue, Apr 17, 2012 at 08:14, George Machitidze <giomac at gmail.com> wrote:
> Thanks
>
> I need to have this option by default without adding command line option to
> rpm. yum is checking for GPG key by default in case gpgcheck is not set to
> 0.
> Maybe it's possible through rpmrc, but I couldn't find option for that.
>
> Best regards,
> George Machitidze
>
>
> On Tue, Apr 17, 2012 at 5:09 PM, Greg Swift <gregswift at gmail.com> wrote:
>>
>> On Tue, Apr 17, 2012 at 07:43, George Machitidze <giomac at gmail.com> wrote:
>> > Hi
>> >
>> > I want to force rpm during the package update or install to check if RPM
>> > package is signed (public key is imported).
>> > Is there a safe way to do this?
>>
>> So you can add -K|--checksig to your installation command if using rpm
>> directly (ie: rpm -ivhK package.rpm)
>>
>> I don't know how one would force that as a system wide configuration
>> option. Setting it as an alias doesn't seem to work because of other
>> non install related commands not liking their options after the -K.
>>
>> With yum you can set a repository to gpgcheck=1 which will force it
>> unless manually disabled.
>> _______________________________________________
>> Rpm-list mailing list
>> Rpm-list at lists.rpm.org
>> http://lists.rpm.org/mailman/listinfo/rpm-list
>
>
>
> _______________________________________________
> Rpm-list mailing list
> Rpm-list at lists.rpm.org
> http://lists.rpm.org/mailman/listinfo/rpm-list
>

More information about the Rpm-list mailing list