On Tue, Apr 04, 2006 at 03:23:56PM +0200, houghi wrote:
On Tue, Apr 04, 2006 at 02:29:58PM +0200, Joachim Werner wrote: <snip great explanation>
Now for the problems with YaST and installation sources you may have faced in the last couple of days:
The problem is that the signature checks are already in place, but the GUI and command line options that let you import non-SUSE keys, override key checking and integrity checking are not in place yet.
OK. That was what I figured out eventually. ;-)
With the final product you will be able to switch all the checks off, so you can still use sources that do not use any signing or checksums. But currently there are a few bugs with YaST expecting a signature to be there etc.
Somehow I managed to work around that and get non-signed RPM's on a iso. This with just editing the content of one file. This means that even though people think they have the real deal, they might get an infected CD or DVD.
Does this then not kill of the purpose of the signing? It makes it possibe to get insecure things installed. All it does is remove the ^META and ^KEY from ./content.
No, since we also sign the Packages / repomd.xml files and these contain the SHA-1 / SHA-256 sums of the packages. Ciao, Marcus