On Mon, Dec 30, 2002, Matthias Kurz wrote:
> > > When i try to verify the pgp signature of a src.rpm, i always get
> > > "MD5 sum OK: ...." - nothing with pgp.
> > > E.g.:
> > > rpm -v --checksig mutt-1.4i-20021230.src.rpm
> > > mutt-1.4i-20021230.src.rpm:
> > > MD5 sum OK: cd03b408c67b07ac7720cae8ee02e246
> > >
> > > I installed gpg, imported the pgp public key and set "$_signature pgp"
> > > in my $HOME/.rpmmacros.
> > >
> > > What am i doing wrong ?
> >
> > Only RPMs of OpenPKG _releases_ are signed. The OpenPKG-CURRENT RPMs
> > are not signed -- mainly because signing requires the OpenPKG master
> > key which is not available all the time while developers working
> > on OpenPKG-CURRENT packages. It is only available in the release
> > engineering process.
>
> So, how can one validate a "current" package. MD5 sums _in_ the package
> do not look very secure to me :)
Yes, sorry, OpenPKG-CURRENT packages currently cannot verified at all.
But perhaps we should create a less-secured GPG sub-key just for signing
the OpenPKG-CURRENT packages on the FTP server?
> Especially, what about openpkg-*.src.sh ?
This is just a shell-script, you cannot add easily a signature!?
Ralf S. Engelschall
[EMAIL PROTECTED]
______________________________________________________________________
The OpenPKG Project www.openpkg.org
User Communication List [EMAIL PROTECTED]
