rpm --nosignature reversed meaning

Jeffrey Johnson n3npq at me.com
Tue Aug 30 13:04:42 CEST 2016

> If so, rpm should either ignore secondary key or refuse to install such
> joint at all.

RPM *does* ignore secondary keys.

And look carefully at this well-formed pubkey (scroll through the page)


It is not at all clear how to filter crap like this out of pubkeys and refuse to

What RPM does instead is exactly what is requested: It verifies
the CRC in the armor while converting the base64, and pushes
the blob into /var/lib/rpm/Pubkeys.


> On the PLD side - someone has to split the key on FTP (and then in
> rpm.git). Or remove it completely, as apparently noone uses sigs anyway…


Glenn: and this is likely the cause for inability to verify signatures
while doing rpm —verify, so the patch that disables can likely
be removed.

73 de Jeff

More information about the pld-devel-en mailing list