[Rpm-maint] next question: can rpm fail (instead of warn) on a bad signature?

Shandy Brown sbrown at vmware.com
Fri Dec 15 09:31:14 UTC 2006


Thanks Paul.  So I guess I'll have to test rpm -K before I run rpm -Uvh.

One more thing, I also want to fail when there is no signature.  But
when I run rpm -K against a package with no signature, it returns:

/yum-2.0.7-3vmw.noarch.rpm: sha1 md5 OK

I would have expected a "NOT OK" result here.  Am I doing something
wrong?

sjbrown

On Fri, 2006-12-15 at 09:11 +0000, Paul Nasrat wrote:
> On Fri, 2006-12-15 at 01:01 -0800, Shandy Brown wrote:
> > So I've created an rpm with a "bad" signature (the target box doesn't
> > have the public key).  But when I install it, it succeeds.  I was
> > expecting a failure.
> > 
> > rpm -Uvh /yum-2.0.7-3vmw.noarch.rpm
> > warning: /yum-2.0.7-3vmw.noarch.rpm: V3 DSA signature: NOKEY, key ID
> > e979a084
> > Preparing...                ###########################################
> > [100%]
> > 
> > Is there a way to tell rpm to fail if the signature doesn't check out?
> 
> Currently there is no policy enforcement of requiring signatures, within
> command line rpm. Other tools sitting on top of rpm such as yum enable
> this kind of checking (gpgcheck=1 in the case of yum).
> 
> Please note an unknown signature is not the same thing as a "bad"
> signature (where the file has been modified/ corrupted).
> 
> Paul
> 



More information about the Rpm-maint mailing list