Patrick O'Callaghan wrote: > >> NAK - if a fake public key were distributed then packages signed with >> the fake key would be matched, allowing full access to install crap in >> your machine. >> > > True. > Actually I don't understand the paragraph above. It seems to be saying that packages would be signed with a public key which can't be done. So, the person making that statement needs to clarify. > >> And packages signed with any valid redhat key would be >> rejected. >> > > Which is what I said. Thus it would be noticed immediately. > No, they would not be rejected as long as you still have Red Hat's public key installed on your system. You can determine what public keys are on your system by "rpm -qa gpg-pubkey*". When an rpm is signed it is signed with a private key and information about the corresponding public key is placed in the rpm file. That information is used to retrieve the correct public key for verification. So, as long as you've not deleted it, they will verify. > -- You have had a long-term stimulation relative to business. -- fedora-list mailing list fedora-list@xxxxxxxxxx To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
