Force RPM to check GPG key
Panu Matilainen
pmatilai at laiskiainen.org
Wed Apr 18 13:38:16 UTC 2012
On 04/18/2012 10:35 AM, George Machitidze wrote:
> You are right, package is not signed with key, but -K says it's fine. RHEL
> 5 x86_64, up2date, no modifications. Strange...
Yup, rpm's notion of "signature" is not what you might expect: both
digests and actual signatures are "signatures" to rpm, and since the
package appears intact (ie its digest matches content), 'rpm -K' finds
nothing to complain about. To put it another way, 'rpm -K' verifies the
items it finds, but it does not require package to be actually signed to
pass.
As for the original question of having rpm enforce "signed packages
only" policy for install/upgrade, its not possible currently. Rpm does
by default check signatures (unless disabled via switches or the
_vsflags* configuration) when reading packages, but the only enforcing
it does by itself is on explicit signature/digest verify failure (kinda
similar to the 'rpm -K' case). Yum behaves somewhat differently though
- Panu -
More information about the Rpm-list
mailing list