rpm --nosignature reversed meaning

Jeffrey Johnson n3npq at me.com
Sun Sep 11 21:41:02 CEST 2016

> The usage scenario rpm has to allow:
> 1. rpm -qp unknown.rpm -> signature verification failed,
> 2. rpm -qpilv --scripts --nosignature unknown.rpm -> analyze
> 3. rpm2cpio ... -> content analyze IF required (trusting the vendor)
> 3. rpm --resign unknown.rpm (not with MY key, but some generated)
> 4. rpm -i unknown.rpm

There is nothing stopping the above commands (in exactly that order) if you add

 0. rpm —addsign somekeyid unknown.rpm

when necessary.

In practice, all packages built by rpm5 will already be signed, and all packages
not built by rpm5 are usually signed by some key, which can be distributed, retrieved and imported
however one wishes.

If hkp:// retrieval is enabled, and the key has been uploaded will be automatically retrieved
and used.

73 de Jeff

More information about the pld-devel-en mailing list