> > The usage scenario rpm has to allow: > > 1. rpm -qp unknown.rpm -> signature verification failed, > 2. rpm -qpilv --scripts --nosignature unknown.rpm -> analyze > 3. rpm2cpio ... -> content analyze IF required (trusting the vendor) > 3. rpm --resign unknown.rpm (not with MY key, but some generated) > 4. rpm -i unknown.rpm >
There is nothing stopping the above commands (in exactly that order) if you add 0. rpm —addsign somekeyid unknown.rpm when necessary. In practice, all packages built by rpm5 will already be signed, and all packages not built by rpm5 are usually signed by some key, which can be distributed, retrieved and imported however one wishes. If hkp:// retrieval is enabled, and the key has been uploaded will be automatically retrieved and used. 73 de Jeff _______________________________________________ pld-devel-en mailing list pld-devel-en@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-devel-en
