nodata said:
How? Would it make you feel better if the fake updates had installed a signature first? Or told you that you had to install a new key from the fake site? The ONLY thing that signatures tell you is that the RPM has been signed with a particular key, that's it.
An rpm signed by Red Hat tells me that Red Hat signed it. No signature == no install.
Have you read the fake e-mail? RPM was never mentioned. And again, if you are falling for an e-mail that has you run an arbitrary script, any key can be installed to look like a Red Hat key.
My original post:
"A recent scam involving fake updates to Fedora has highlighted the lack of signed RPMs for Rawhide" (prev: Fedora Core)
As in: "Red Hat's recent commentary on this has made me check that all RPMs that Red Hat issues are really from Red Hat".
Many of the releases in Rawhide are not signed, why not?
This has been discussed over and over, so look at the archives. Basically it boils down to the Rawhide RPMs being automatically generated when there isn't always someone around to sign them. Since the whole point of Rawhide is to get new bits out the door the choice is made not to hold them for a live body to sign them.
Then perhaps rawhide should be signed with a separate key that signs the packages without a live body.