[Rpm-maint] [rpm-software-management/rpm] Enforce GPG signatures by default (#1573)

Demi Marie Obenour notifications at github.com
Sat Mar 13 11:12:01 UTC 2021


> Rpm actually already verifies signatures _if present_ by default since 4.0 or thereabouts, but it doesn't _require_ them. Enforcing is supported since >= 4.14.2 and we also have the bypass-switch (--nosignature) already, so from strict technical perspective this is just a matter of one line change to turn the policy switch to 11 (`%_pkgverify_level all`).
> 
> The only thing stopping us is that it breaks the workflow of installing your own local builds - you need to sign or use --nosignature to install. For everything else this is 20 years too late already  As the average user is not even affected at all... maybe the folks who build packages can be expected to deal with a little extra configuration to make the rest of the world that much safer.

Agreed.  Those who build packages can generate their own signing keys.  Personally, I would consider being able to disable this on a per-package basis a good idea, but it isn’t a blocker.

-- 
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1573#issuecomment-798172203
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20210313/a04f1897/attachment.html>


More information about the Rpm-maint mailing list