rpm --nosignature reversed meaning

Tomasz Pala gotar at polanet.pl
Tue Aug 30 13:47:28 CEST 2016

On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote:

>> Is there any macro/option that prevents me from installing any unsigned/unverified package?
> The question as asked cannot be answered: all (RPM5 built) packages are signed
> and (w/o ???nosignatures) the signature will be verified.
>> Warning is not enough, I want to be totally sure the verification was done and succeeded.
> All BAD signatures will stop RPM (unless ???no signatures has been used).

And how about rejecting unsigned packages? At least without --force or sth.

Without this an attacker might put unsigned package ...and that's it.

With keyservers enabled, an attacked might sign a package with it's own
malicious key ...and that's it (that's another reason why I disable hks).

In other words: I want to be sure that each and every package is signed
with one of the locked keys. I can lock keys (disable keyservers), but
still need to enforce using *any* key somehow.

Tomasz Pala <gotar at pld-linux.org>

More information about the pld-devel-en mailing list