[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

checksig and key handling

From: Thomas <tom electric-sheep org>
To: rpm-list redhat com
Subject: checksig and key handling
Date: Tue, 13 Sep 2005 18:01:25 +0200

Hello,
I've a question about the key handling when using rpm --checksig.

I assume the key ID is determined by reading the header of the rpm package.
But how can I be sure that the key ID in the header is the one I want to check
against?
For example when I get an online update from my vendor it would be nice
to have something like "rpm --checksig --keyid <vendor key id> <package>"
to be sure the right key from the rpmDB/keyring was used for verification.
Is something like that available or planned?

Signature checks are done with external programs (pgp, gpg) so when, for
example, gpg switches to SHA-1 256 (or above) will there be any problems
regarding rpm? So in general, does rpm need to be modified to use alternative
message digest algorithms?

Thanks,
Thomas


-- 
Tom <tom electric-sheep org>
fingerprint = F055 43E5 1F3C 4F4F 9182  CD59 DBC6 111A 8516 8DBF

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]