[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?

Paul Nasrat pnasrat at redhat.com
Fri Dec 15 09:38:25 UTC 2006

On Fri, 2006-12-15 at 01:31 -0800, Shandy Brown wrote:
> Thanks Paul.  So I guess I'll have to test rpm -K before I run rpm -Uvh.

And then configure yum to gpgcheck :)

> One more thing, I also want to fail when there is no signature.  But
> when I run rpm -K against a package with no signature, it returns:

rpm signature checking just doesn't work like this.

> /yum-2.0.7-3vmw.noarch.rpm: sha1 md5 OK
> I would have expected a "NOT OK" result here.  Am I doing something
> wrong?

NOT OK will only occur if the file is corrupted - if it is an intact rpm
but unsigned it still has a header digest and a header+payload digest to
verify it's untampered with.  Thus rpm -K tells you this is the rpm
built and intact and the payload and headers are consistent with the
digests.  Obviously it can't reveal anything about the trustability of
the package as it could be anything built and packaged:

cp yum-2.0.7-3vmw.noarch.rpm broken.rpm
echo 'A' >> broken.rpm
rpm -Kv broken.rpm


More information about the Rpm-maint mailing list