On 06/22/16 13:15, Samuel Sieb wrote:
On 06/21/2016 10:04 PM, Antonio M wrote:
a silly question, how do you understand that a package is signed in any repo?? apart from the warning of dnf, of course....
That would be the primary way. Otherwise, if you have rpmdevtools installed, you can download the rpm and run rpmdev-checksig on it. That's what I used to check some rpms from rpmfusion to determine that they aren't signed.
Or you could run rpm -K rpmfile
This shows the output of a signed rpm
[root@meimei ~]# rpm -K aime-8.20160504-1.fc23.x86_64.rpm aime-8.20160504-1.fc23.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
This shows the output of a non-signed rpm
[egreshko@acer ~]$ rpm -K libmpg123-1.22.4-1.fc24.x86_64.rpm libmpg123-1.22.4-1.fc24.x86_64.rpm: sha1 md5 OK