On Sat, Jan 21, 2012 at 2:48 PM, kachelaqa <[email protected]> wrote: > On 21/01/12 19:57, Dan McGee wrote: >> >> On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<[email protected]> wrote: >>> >>> I'm still trying to get to grips with package signing, so this question >>> may >>> not make complete sense, but: >>> >>> Is there a way to check whether the signature was verified when a package >>> was installed? >> >> No. However, -Si shows the presence of a signature and the various >> checksums (MD5, SHA256) in the database. > > > Okay, thanks. > > Can I ask why this is? I would have expected there to be a least a log > message somewhere. It is a debug level message if one cares to look there. Obviously this isn't all that helpful for the general end user though.
> ISTM that many users might want to know which installed packages on their > systems have verified signatures, and which ones not. Would they be > misguided in seeking that information? Not misguided, but not something we currently track or anything. I don't think we'd be against tracking this in some sort of %VERIFICATION% field or something in the database; this could store something like "md5", "sha256", "pgp", "none", etc. But it isn't something we are likely to sit down and code; patches definitely welcome. -Dan
