[Yum] gpg sig checking
skvidal at phy.duke.edu
Fri Apr 11 05:55:08 UTC 2003
> I would find it helpful if you could tell us what practical impact
> this would have on user/admins. What happens if some packages aren't signed?
> What would users/admins have to do to make sure the appropriate sigs
> are present? Can this be anabled/disable per-repository (I could
> probably read the docs for that one)?
> Basically, I suspect most of us understand the _security_ implications
> of signed packages. I don't have a feel for the hassle factor,
well the idea would be that gpgcheck = 1 would be the default in the
program defaults so if gpgcheck was unset it would default to on for
each repository (currently it defaults to off)
Then if a user turned it off then they'd get a warning message when that
repository was accessed (processed in the config file more likely)
keys are easy - just rpm --import publickey
if you have an unsigned pkg in a repository where things are expected to
be signed then an error occurs when you attempt to install that pkg.
does that make sense?
More information about the Yum