On Tue, Aug 30, 2016 at 05:56:43 -0400, Jeffrey Johnson wrote: >> Is there any macro/option that prevents me from installing any >> unsigned/unverified package? > > The question as asked cannot be answered: all (RPM5 built) packages are signed > and (w/o ???nosignatures) the signature will be verified. > >> Warning is not enough, I want to be totally sure the verification was done >> and succeeded. > > All BAD signatures will stop RPM (unless ???no signatures has been used).
And how about rejecting unsigned packages? At least without --force or sth. Without this an attacker might put unsigned package ...and that's it. With keyservers enabled, an attacked might sign a package with it's own malicious key ...and that's it (that's another reason why I disable hks). In other words: I want to be sure that each and every package is signed with one of the locked keys. I can lock keys (disable keyservers), but still need to enforce using *any* key somehow. -- Tomasz Pala <go...@pld-linux.org> _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en