[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?

Paul Nasrat pnasrat at redhat.com
Fri Dec 15 09:56:11 UTC 2006

On Fri, 2006-12-15 at 09:48 +0000, Paul Nasrat wrote:
> On Fri, 2006-12-15 at 01:45 -0800, Shandy Brown wrote:
> > > NOT OK will only occur if the file is corrupted - if it is an intact rpm
> > > but unsigned it still has a header digest and a header+payload digest to
> > > verify it's untampered with.  Thus rpm -K tells you this is the rpm
> > > built and intact and the payload and headers are consistent with the
> > > digests.
> > 
> > Is there some other method to detect that an rpm file is not signed?
> > 
> > Other than installing it and checking with rpm -qi.
> You can do it programatically, with --queryformat or use something like
> yum with gpgcheck=1.

The traditional queryformat string used is:

rpm --qf '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' \
 -qp foo.rpm 

If that returns (none) then it's unsigned.

Using rpmUtils module from yum:

import rpmUtils
import rpmUtils.miscutils
t = rpmUtils.transaction.TransactionWrapper()
h = rpmUtils.miscutils.hdrFromPackage(t,

For pure rpm-python look at how getSigInfo works 


More information about the Rpm-maint mailing list