gpgcheck in smart
Mark Hatle
mark.hatle at windriver.com
Mon Aug 10 11:47:14 PDT 2015
On 8/10/15 1:10 PM, Divya Vyas wrote:
> If rpm verifies the gpg signature and it does not matches or key not available ,
> then will it give warning or error/quit?
By default warn that it's not available. But by default -all- RPM 5 packages
contain unvalidated signatures. So it's only a problem if you have signed the
packages yourself.. then you need to ensure the key is loaded before you go to
install them. Also when you sign you want to -add- a signature, not replace it.
If you replace the built-in sig, then you have prevented the first stage
validation for occurring if the signature is not available in the RPM DB.
--Mark
> On Mon, Aug 10, 2015 at 9:03 PM, Mark Hatle <mark.hatle at windriver.com
> <mailto:mark.hatle at windriver.com>> wrote:
>
> On 8/10/15 2:22 AM, Divya Vyas wrote:
> > Hi,
> >
> > I am adding rpm-md type channel in smart channels. I want to verify gpg
> > signature for rpms coming from smart tool. How I can do that ? For yum I can add
> > gpgcheck=1 in configuration file. Here is smart tool /var/lib/smart/config is
> > converted file Hence cannot directly add into it.
> >
> > Is there any command line way to add it? If I do gpgcheck=1 what will happen?
>
> RPM(5) always verifies the signatures before allowing an installation. So while
> smart may download something that has not been verified and pass it to RPM,
> RPM(5) will verify it before installation... (and before reading additional
> metadata preventing corrupted RPMs from doing bad things...)
>
> --Mark
>
> > Thanks,
> > Divya Vyas
> >
> >
>
>
More information about the Smart
mailing list