rpm --nosignature reversed meaning
Jeffrey Johnson
n3npq at me.com
Tue Aug 30 13:04:42 CEST 2016
>>
>>
>
> If so, rpm should either ignore secondary key or refuse to install such
> joint at all.
>
RPM *does* ignore secondary keys.
And look carefully at this well-formed pubkey (scroll through the page)
http://keys.niif.hu/pks/lookup?op=vindex&search=0x0B7F8B60E3EDFAE3
It is not at all clear how to filter crap like this out of pubkeys and refuse to
import.
What RPM does instead is exactly what is requested: It verifies
the CRC in the armor while converting the base64, and pushes
the blob into /var/lib/rpm/Pubkeys.
WYSIWYG.
> On the PLD side - someone has to split the key on FTP (and then in
> rpm.git). Or remove it completely, as apparently noone uses sigs anyway…
>
Yes.
Glenn: and this is likely the cause for inability to verify signatures
while doing rpm —verify, so the patch that disables can likely
be removed.
73 de Jeff
More information about the pld-devel-en
mailing list