[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?

Paul Nasrat pnasrat at redhat.com
Fri Dec 15 09:11:09 UTC 2006


On Fri, 2006-12-15 at 01:01 -0800, Shandy Brown wrote:
> So I've created an rpm with a "bad" signature (the target box doesn't
> have the public key).  But when I install it, it succeeds.  I was
> expecting a failure.
> 
> rpm -Uvh /yum-2.0.7-3vmw.noarch.rpm
> warning: /yum-2.0.7-3vmw.noarch.rpm: V3 DSA signature: NOKEY, key ID
> e979a084
> Preparing...                ###########################################
> [100%]
> 
> Is there a way to tell rpm to fail if the signature doesn't check out?

Currently there is no policy enforcement of requiring signatures, within
command line rpm. Other tools sitting on top of rpm such as yum enable
this kind of checking (gpgcheck=1 in the case of yum).

Please note an unknown signature is not the same thing as a "bad"
signature (where the file has been modified/ corrupted).

Paul




More information about the Rpm-maint mailing list