On Mon, 3 Nov 2008 19:24:56 +0000, mike cloaked wrote:
> Mike <mike.cloaked <at> gmail.com> writes:
>
> > Doing:
> > less /etc/yum.repos.d/rpmfusion-free-updates.repo
> > shows that gpgcheck is enabled so if any future updates come in then
> > it will check against the keys. Since the rpm that installed to put these
>
> I guess the key signatures can be checked against those held in the rpm-fusion
> web pages somewhere although at this point I must admit I could not find the
> key signatures anywhere!
>
> Maybe someone will enlighten me as to where they are so we can check against
> keys in our systems - if we want to be really paranoid!
>
Have you noticed that the RPM Fusion GPG key as included in Livna's
rpmfusion-*-release packages is signed indirectly with the Livna GPG key
and the RPM package signature? You can run "rpm -Kv" on the downloaded
pkgs to check that manually. Example:
$ rpm -Kv rpmfusion-free-release-8-5.noarch.rpm
rpmfusion-free-release-8-5.noarch.rpm:
Header V3 DSA signature: OK, key ID a109b1ec
Header SHA1 digest: OK (c14f7fdce7a405469ed927933064ab9860e9eb57)
MD5 digest: OK (bd8e3eb77d44d74316f659ddc3bd861e)
V3 DSA signature: OK, key ID a109b1ec
--
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
Guidelines: http://fedoraproject.org/wiki/Communicate/MailingListGuidelines
