Do you really think this is a good idea with unsigned RPMs (or do you sign them already)? I haven't tested it, but IIRC RPM isn't even displaying the MD5 hash before installing (correct me if I'm wrong) - so there would be no chance to detect if a packet was modified in some way.
To check MD5 you have to download the file (i.e. useing wget), run a "md5sum" on it ("rpm --checksig --verbose" checks another md5sum). If this sum matches with the one from the correctly signed announcement mail, it should be safe to install the downloaded file.
This is correct. I'll put a (signed) file with all md5sums into the ftp directory on monday.
Please tell me if I missed something!
oki,
Steffen
Grüße,
Roman.
--
- -
| Roman Drahtmüller