Should Fedora rpms be signed?
Satish Balay
balay at fastmail.fm
Fri Nov 5 06:59:30 UTC 2004
On Fri, 5 Nov 2004, seth vidal wrote:
> > The current model is that they're all the same. Look at our tools; look
> > at yum and up2date. They don't know anything about which key is which,
> > just which key you've said you trust (not even what you trust it for, or
> > how much). The only real difference, and certainly the only one in the
> > minds of the vast majority of our users, is that one comes in rpm's key
> > list by default and one does not.
What in rpm's key list by default? I thought the user does an explicit
'rpm --import'
> An RFE for yum has been to provide a list of gpg keyids that are valid
> per-repository.
>
> So then the gpgcheck process would be:
>
> 1. check if the sig exists
> 2. check if the sig is valid
> 3. if both are true, check to see if the keyid matches on the allowed
> keyid for packages from that repo.
A couple of questions here.
- What key is used for this purpose (to sign the metadata)?
- Where does the user store this public key?
- What prevents the clueless users from having the same expecation from
a gpg-signed metada-repo as they have with gpg-signed packages?
thanks,
Satish
More information about the test
mailing list