On Mon, Dec 30, 2002 at 09:42:37PM +0100, Ralf S. Engelschall wrote: > On Mon, Dec 30, 2002, Matthias Kurz wrote: > > > When i try to verify the pgp signature of a src.rpm, i always get > > "MD5 sum OK: ...." - nothing with pgp. > > E.g.: > > rpm -v --checksig mutt-1.4i-20021230.src.rpm > > mutt-1.4i-20021230.src.rpm: > > MD5 sum OK: cd03b408c67b07ac7720cae8ee02e246 > > > > I installed gpg, imported the pgp public key and set "$_signature pgp" > > in my $HOME/.rpmmacros. > > > > What am i doing wrong ? > > Only RPMs of OpenPKG _releases_ are signed. The OpenPKG-CURRENT RPMs > are not signed -- mainly because signing requires the OpenPKG master > key which is not available all the time while developers working > on OpenPKG-CURRENT packages. It is only available in the release > engineering process.
So, how can one validate a "current" package. MD5 sums _in_ the package do not look very secure to me :) Especially, what about openpkg-*.src.sh ? (mk) -- Matthias Kurz; Fuldastr. 3; D-28199 Bremen; VOICE +49 421 53 600 47 >> Im pr�motorischen Cortex kann jeder ein Held sein. (bdw) << ______________________________________________________________________ The OpenPKG Project www.openpkg.org User Communication List [EMAIL PROTECTED]
