Force RPM to check GPG key
Panu Matilainen
pmatilai at laiskiainen.org
Wed Apr 18 13:40:12 UTC 2012
On 04/18/2012 10:35 AM, George Machitidze wrote:
> You are right, package is not signed with key, but -K says it's fine. RHEL
> 5 x86_64, up2date, no modifications. Strange...
Yup, rpm's notion of "signature" is not what you might expect: both
digests and actual signatures are "signatures" to rpm, and since the
package appears intact (ie its digest matches content), 'rpm -K' finds
nothing to complain about. To put it another way, 'rpm -K' verifies the
items it finds, but it does not require package to be actually signed to
pass.
As for the original question of having rpm enforce "signed packages
only" system-wide policy for install/upgrade, its not possible
currently. Rpm does by default check signatures (unless disabled via
switches or the _vsflags* configuration) when reading packages, but the
only enforcing it does by itself is on explicit signature/digest verify
failure (kinda similar to the 'rpm -K' case). Yum does require signed
packages if configured to do so, but that wont help rpm command line.
- Panu -
More information about the Rpm-list
mailing list