On 06/21/2016 10:19 PM, Ed Greshko wrote:
On 06/22/16 13:15, Samuel Sieb wrote:
On 06/21/2016 10:04 PM, Antonio M wrote:
a silly question, how do you understand that a package is signed in any repo?? apart from the warning of dnf, of course....
That would be the primary way. Otherwise, if you have rpmdevtools installed, you can download the rpm and run rpmdev-checksig on it. That's what I used to check some rpms from rpmfusion to determine that they aren't signed.
Or you could run rpm -K rpmfile
This shows the output of a signed rpm
[root@meimei ~]# rpm -K aime-8.20160504-1.fc23.x86_64.rpm aime-8.20160504-1.fc23.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
This shows the output of a non-signed rpm
[egreshko@acer ~]$ rpm -K libmpg123-1.22.4-1.fc24.x86_64.rpm libmpg123-1.22.4-1.fc24.x86_64.rpm: sha1 md5 OK
Oh, that's right, you can check it with rpm and I have used that. However, rpmdev-checksig will give you a bit more info: python /bin/rpmdev-checksig nss-3.21.0-1.1.fc23.i686.rpm nss-3.21.0-1.1.fc23.i686.rpm: RSA/SHA256 - 34ec9cba - fedora-23-primary@fedoraproject.org python /bin/rpmdev-checksig a52dec-0.7.4-19.fc24.x86_64.rpm a52dec-0.7.4-19.fc24.x86_64.rpm: MD5 - None - <None>
You currently have to run it with python directly because there's a bug where the #! line has python3, but then it throws an exception. If you run it with python2, it works.