Force RPM to check GPG key

George Machitidze giomac at gmail.com
Thu Apr 19 09:10:37 UTC 2012


Thank you Panu!

Best regards,
George Machitidze


On Wed, Apr 18, 2012 at 5:40 PM, Panu Matilainen
<pmatilai at laiskiainen.org>wrote:

> On 04/18/2012 10:35 AM, George Machitidze wrote:
>
>> You are right, package is not signed with key, but -K says it's fine. RHEL
>> 5 x86_64, up2date, no modifications. Strange...
>>
>
> Yup, rpm's notion of "signature" is not what you might expect: both
> digests and actual signatures are "signatures" to rpm, and since the
> package appears intact (ie its digest matches content), 'rpm -K' finds
> nothing to complain about. To put it another way, 'rpm -K' verifies the
> items it finds, but it does not require package to be actually signed to
> pass.
>
> As for the original question of having rpm enforce "signed packages only"
> system-wide policy for install/upgrade, its not possible currently. Rpm
> does by default check signatures (unless disabled via switches or the
> _vsflags* configuration) when reading packages, but the only enforcing it
> does by itself is on explicit signature/digest verify failure (kinda
> similar to the 'rpm -K' case). Yum does require signed packages if
> configured to do so, but that wont help rpm command line.
>
>        - Panu -
>
> ______________________________**_________________
> Rpm-list mailing list
> Rpm-list at lists.rpm.org
> http://lists.rpm.org/mailman/**listinfo/rpm-list<http://lists.rpm.org/mailman/listinfo/rpm-list>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-list/attachments/20120419/097b1f17/attachment.html>


More information about the Rpm-list mailing list