On Fri, 5 Nov 2004, seth vidal wrote:
The current model is that they're all the same. Look at our tools; look at yum and up2date. They don't know anything about which key is which, just which key you've said you trust (not even what you trust it for, or how much). The only real difference, and certainly the only one in the minds of the vast majority of our users, is that one comes in rpm's key list by default and one does not.
What in rpm's key list by default? I thought the user does an explicit 'rpm --import'
An RFE for yum has been to provide a list of gpg keyids that are valid per-repository.
So then the gpgcheck process would be:
- check if the sig exists
- check if the sig is valid
- if both are true, check to see if the keyid matches on the allowed
keyid for packages from that repo.
A couple of questions here.
- What key is used for this purpose (to sign the metadata)? - Where does the user store this public key? - What prevents the clueless users from having the same expecation from a gpg-signed metada-repo as they have with gpg-signed packages?
thanks, Satish