Changes between Version 2 and Version 3 of SecuredRemoteData

Show
Ignore:
Author:
james (IP: 65.172.155.230)
Timestamp:
01/20/11 17:28:54 (7 years ago)
Comment:

Add note about GPG signed packaging problems

Legend:

Unmodified
Added
Removed
Modified
  • SecuredRemoteData

    v2 v3  
    1212 
    1313=== GPG keys for packages === 
     14 
     15The main point to understand about GPG checking for packages is that the GPG signature is embedded within the package, and the GPG keys are stored in the rpmdb. There is no secure API to ask "What key is package X signed with" you can only ask "Is package X signed with a key in the rpmdb" and "Does key Y exist in the rpmdb". 
     16Also note that this means that a package can only be signed by one key, and that changing the signature changes the packages. 
    1417 
    1518Yum-3.2.29 performs a number of steps when it downloads a package from a repository configured with "gpgcheck = true" (the default).