Making PGP distribution key well-known
Panu Matilainen
pmatilai at laiskiainen.org
Thu Mar 1 17:58:18 UTC 2012
On 03/01/2012 06:52 PM, Petr Pisar wrote:
> As new Fedora release looms ahead, I'd like open discussion about
> verifying distribution integrity. In short---where to get public key for
> verifying RPM signatures.
>
> If I remember correctly, you are asked to accept new signing key by rpm
> while installing fedora-release package from new Fedora release. Problem
> is, there is no way how how to verify the key beeing accepted.
>
> I have been told by RPM developers, RPM allows multiple signatures.
> Whould it be possible to sign fedora-relase package from F17 with key
> used in F16 in addition?
No, rpm does not support multiple signatures in this sense. There are
all sorts of different "signature" types in rpm and several of are
typically present in any (signed) package, but that's a different thing
(rpm's notion of a "signature" is a bit exotic). There's no fundamental
limitation why it could not ever support this kind of scenario, but
currently it does not.
- Panu -
More information about the devel
mailing list