On Fri, 5 Nov 2004, seth vidal wrote:
This is just based on keys in your rpmdb.
The idea is this:
if you have 3 repos available to yum.
They are signed with 3 separate gpg keys. So you've imported all the keys into your rpmdb. The whole point of the feature I described before is so you can say:
the only packages I want from this repository are signed with _this_ key. If you get a package from this repository that is signed with any other key, even if I have that key in my rpmdb, don't trust it.
Ok - here you are saying EACH package is signed. And this pacakge signature is the one thats compared.
The inferences I get from the above are:
- all packages from all repos should be signed (ideally) - if an unsigned package is part of the dep-resolve list - then yum just aborts the transaction - (Obviously - the main feature) if the 'key' doesn't match the one seecified for this repo in yum.conf - the transaction is aborted.
I do like this new feature. A couple of questions remain.
- Where does sigining 'metadata' fit in here?
- And this scheme would require rawhide pacakges also to be signed with some key. (or am I misreading this?)
thanks, Satish