rpm --nosignature reversed meaning
Tomasz Pala
gotar at polanet.pl
Tue Aug 30 13:47:28 CEST 2016
On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:
>> Is there any macro/option that prevents me from installing any unsigned/unverified package?
>
> The question as asked cannot be answered: all (RPM5 built) packages are signed
> and (w/o ???nosignatures) the signature will be verified.
>
>> Warning is not enough, I want to be totally sure the verification was done and succeeded.
>
> All BAD signatures will stop RPM (unless ???no signatures has been used).
And how about rejecting unsigned packages? At least without --force or sth.
Without this an attacker might put unsigned package ...and that's it.
With keyservers enabled, an attacked might sign a package with it's own
malicious key ...and that's it (that's another reason why I disable hks).
In other words: I want to be sure that each and every package is signed
with one of the locked keys. I can lock keys (disable keyservers), but
still need to enforce using *any* key somehow.
--
Tomasz Pala <gotar at pld-linux.org>
More information about the pld-devel-en
mailing list