> An additional thing, once a key is revoked by a distro (for whatever reason),
> they usually sign new rpms with the new key. However it does not mean that
> the older rpms signed by the old key are no longer secure to use. Unless
> of-course the old key has been compromised by the attacker and they sign
> malicious rpms with that.
>
I mean the rpms signed before the key was revoked.
> So if revokation makes all the installed rpms, seem to be signed with the
> wrong key, than that could be a problem.
>
> Therefore there is some amount of onus on the administrator/user as well.
--
You are receiving this because you are subscribed to this thread.
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1598#issuecomment-873505143
_______________________________________________
Rpm-maint mailing list
Rpm-maint@lists.rpm.org
http://lists.rpm.org/mailman/listinfo/rpm-maint
