[Rpm-maint] [rpm-software-management/rpm] Enforce GPG signatures by default (#1573)
Panu Matilainen
notifications at github.com
Tue Mar 9 08:45:41 UTC 2021
Rpm actually already verifies signatures *if present* by default since 4.0 or thereabouts, but it doesn't *require* them. Enforcing is supported since >= 4.14.2 and we also have the bypass-switch (--nosignature) already, so from strict technical perspective this is just a matter of one line change to turn the policy switch to 11 (`%_pkgverify_level all`).
The only thing stopping us is that it breaks the workflow of installing your own local builds - you need to sign or use --nosignature to install. For everything else this is 20 years too late already :sweat_smile: As the average user is not even affected at all... maybe the folks who build packages can be expected to deal with a little extra configuration to make the rest of the world that much safer.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1573#issuecomment-793561939
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210309/e7d24956/attachment.html>
More information about the Rpm-maint
mailing list