Should Fedora rpms be signed?

Ralph Angenendt ralph+fedora at strg-alt-entf.org
Tue Oct 26 10:25:28 UTC 2004


nodata wrote:
> A recent scam involving fake updates to Fedora has highlighted the lack of
> signed RPMs for Fedora Core.

What do you mean?

| [angenenr at localhorst packages]$rpm -K samba-common-3.0.6-2.fc2.i386.rpm
| samba-common-3.0.6-2.fc2.i386.rpm: (sha1) dsa sha1 md5 gpg OK

Fedora Core RPMs (as livna.org RPMs and fedora.us RPMs and dag's RPMs
and freshrpm's RPMs) *are* cryptographically signed.

> "All official updates for Red Hat products are digitally signed and should
> not be installed unless they are correctly signed and the signature is
> verified."
>  -- http://www.redhat.com/security/

Look, it even says so in the advisory!

> What does the list think about signed RPMs - are they unnecessary for a
> community project, or are they useful?

You're talking about rawhide?

| [angenenr at localhorst tmp]$rpm -v -K zsh-4.2.0-3.i386.rpm
| zsh-4.2.0-3.i386.rpm:
|     Header V3 DSA signature: OK, key ID 4f2a6fd2
|     Header SHA1 digest: OK (4bd8d06387d5c7175b60bf200fb84a229d79b7d4)
|     MD5 digest: OK (16cc40302ebfd42dc2bc1d7f47cd7ded)
|     V3 DSA signature: OK, key ID 4f2a6fd2

Seems to be signed also.

Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.fedoraproject.org/pipermail/test/attachments/20041026/9b29d3c4/attachment.bin 


More information about the test mailing list