Should Fedora rpms be signed?
seth vidal
skvidal at phy.duke.edu
Fri Nov 5 07:09:11 UTC 2004
> > An RFE for yum has been to provide a list of gpg keyids that are valid
> > per-repository.
> >
> > So then the gpgcheck process would be:
> >
> > 1. check if the sig exists
> > 2. check if the sig is valid
> > 3. if both are true, check to see if the keyid matches on the allowed
> > keyid for packages from that repo.
>
> A couple of questions here.
>
> - What key is used for this purpose (to sign the metadata)?
> - Where does the user store this public key?
> - What prevents the clueless users from having the same expecation from
> a gpg-signed metada-repo as they have with gpg-signed packages?
This is just based on keys in your rpmdb.
The idea is this:
if you have 3 repos available to yum.
They are signed with 3 separate gpg keys. So you've imported all the
keys into your rpmdb. The whole point of the feature I described before
is so you can say:
the only packages I want from this repository are signed with _this_
key. If you get a package from this repository that is signed with any
other key, even if I have that key in my rpmdb, don't trust it.
-sv
More information about the fedora-test-list
mailing list