Mailinglist Archive: opensuse-security (10 mails)

< Previous Next >
Re: [opensuse-security] RPM signature verification
On Wed, Oct 05, 2016 at 11:03:28PM +0200, Malte Gell wrote:
Hi there,

does RPM need to run gpg to verify signatures or is this hardcoded
directly into RPM?

rpm has GPG signature verification built-in.

What is the default behaviour of rpm if signature verification fails for
whatever reason, does rpm abort installation of the package?

Depends.

By default libzypp (and so zypper/yast2) check the YUM repository for
signatures and
follows the SHA256 checksums for the content including the RPMs.

The RPMs checksum is not checked.

New libzypp versions can however check RPM signatures instead of repository
signatures.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse-security+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-security+owner@xxxxxxxxxxxx

< Previous Next >
List Navigation
Follow Ups
References