Should Fedora rpms be signed?

nodata fedora at
Tue Oct 26 13:13:51 UTC 2004

> nodata said:
>>> How?  Would it make you feel better if the fake updates had installed a
>>>  signature first? Or told you that you had to install a new key from
>>> the fake site?  The ONLY thing that signatures tell you is that the RPM
>>> has been signed with a particular key, that's it.
>> An rpm signed by Red Hat tells me that Red Hat signed it.
>> No signature == no install.
> Have you read the fake e-mail?  RPM was never mentioned.  And again, if
> you are falling for an e-mail that has you run an arbitrary script, any
> key can be installed to look like a Red Hat key.

My original post:

"A recent scam involving fake updates to Fedora has highlighted the lack of
signed RPMs for Rawhide" (prev: Fedora Core)

As in: "Red Hat's recent commentary on this has made me check that all
RPMs that Red Hat issues are really from Red Hat".

>> Many of the releases in Rawhide are not signed, why not?
> This has been discussed over and over, so look at the archives.  Basically
> it boils down to the Rawhide RPMs being automatically generated when there
> isn't always someone around to sign them.  Since the whole point of
> Rawhide is to get new bits out the door the choice is made not to hold
> them for a live body to sign them.

Then perhaps rawhide should be signed with a separate key that signs the
packages without a live body.

More information about the test mailing list