On Wed, Oct 05, 2016 at 11:03:28PM +0200, Malte Gell wrote:
Hi there,
does RPM need to run gpg to verify signatures or is this hardcoded directly into RPM?
rpm has GPG signature verification built-in.
What is the default behaviour of rpm if signature verification fails for whatever reason, does rpm abort installation of the package?
Depends. By default libzypp (and so zypper/yast2) check the YUM repository for signatures and follows the SHA256 checksums for the content including the RPMs. The RPMs checksum is not checked. New libzypp versions can however check RPM signatures instead of repository signatures. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org