[Yum] gpg sig checking

seth vidal skvidal at phy.duke.edu
Fri Apr 11 05:55:08 UTC 2003


> I would find it helpful if you could tell us what practical impact
> this would have on user/admins.  What happens if some packages aren't signed?
> What would users/admins have to do to make sure the appropriate sigs
> are present?  Can this be anabled/disable per-repository (I could
> probably read the docs for that one)?
> 
> Basically, I suspect most of us understand the _security_ implications
> of signed packages.  I don't have a feel for the hassle factor,
> though.


well the idea would be that gpgcheck = 1 would be the default in the
program defaults so if gpgcheck was unset it would default to on for
each repository (currently it defaults to off)

Then if a user turned it off then they'd get a warning message when that
repository was accessed (processed in the config file more likely)

keys are easy -  just rpm --import publickey

if you have an unsigned pkg in a repository where things are expected to
be signed then an error occurs when you attempt to install that pkg.

does that make sense?

-sv





More information about the Yum mailing list