[Rpm-metadata] detached gpg signature on repomd.xml

Jeff Johnson n3npq at mac.com
Mon Aug 28 12:36:46 UTC 2006


On Aug 28, 2006, at 3:18 AM, Florian La Roche wrote:

> On Sat, Aug 26, 2006 at 12:30:18PM -0400, seth vidal wrote:
>> Hi folks,
>>  as a result of a rather lengthy and ranging discussion elsewhere it
>> came out that a gpg signature of repomd.xml would heighten the  
>> security
>> of using these type of repositories.
>
> Ack, that would be useful. From repomd.xml we get sha1 for the other
> repository data and primary.xml contains sha1 for all rpm packages.
>

That is a workable trust model for yum iff the package sha1 is  
checked before any
data from the package is used.

Please remember to verify the package sha1, using data from signed  
repomd.xml,
before using any other information from the *.rpm package. That is  
the only logically
consistent implementation that I am aware of.

73 de Jeff



More information about the Rpm-metadata mailing list