Force RPM to check GPG key

Panu Matilainen pmatilai at laiskiainen.org
Wed Apr 18 13:38:16 UTC 2012


On 04/18/2012 10:35 AM, George Machitidze wrote:
> You are right, package is not signed with key, but -K says it's fine. RHEL
> 5 x86_64, up2date, no modifications. Strange...

Yup, rpm's notion of "signature" is not what you might expect: both 
digests and actual signatures are "signatures" to rpm, and since the 
package appears intact (ie its digest matches content), 'rpm -K' finds 
nothing to complain about. To put it another way, 'rpm -K' verifies the 
items it finds, but it does not require package to be actually signed to 
pass.

As for the original question of having rpm enforce "signed packages 
only" policy for install/upgrade, its not possible currently. Rpm does 
by default check signatures (unless disabled via switches or the 
_vsflags* configuration) when reading packages, but the only enforcing 
it does by itself is on explicit signature/digest verify failure (kinda 
similar to the 'rpm -K' case). Yum behaves somewhat differently though

	- Panu -


More information about the Rpm-list mailing list