On 06/21/2016 10:19 PM, Ed Greshko wrote:
On 06/22/16 13:15, Samuel Sieb wrote:
> On 06/21/2016 10:04 PM, Antonio M wrote:
>> a silly question, how do you understand that a package is signed in any
>> repo?? apart from the warning of dnf, of course....
>>
> That would be the primary way. Otherwise, if you have rpmdevtools installed, you
can
> download the rpm and run rpmdev-checksig on it. That's what I used to check some
rpms
> from rpmfusion to determine that they aren't signed.
>
Or you could run rpm -K rpmfile
This shows the output of a signed rpm
[root@meimei ~]# rpm -K aime-8.20160504-1.fc23.x86_64.rpm
aime-8.20160504-1.fc23.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
This shows the output of a non-signed rpm
[egreshko@acer ~]$ rpm -K libmpg123-1.22.4-1.fc24.x86_64.rpm
libmpg123-1.22.4-1.fc24.x86_64.rpm: sha1 md5 OK
Oh, that's right, you can check it with rpm and I have used that.
However, rpmdev-checksig will give you a bit more info:
python /bin/rpmdev-checksig nss-3.21.0-1.1.fc23.i686.rpm
nss-3.21.0-1.1.fc23.i686.rpm: RSA/SHA256 - 34ec9cba -
<fedora-23-primary(a)fedoraproject.org>
python /bin/rpmdev-checksig a52dec-0.7.4-19.fc24.x86_64.rpm
a52dec-0.7.4-19.fc24.x86_64.rpm: MD5 - None - <None>
You currently have to run it with python directly because there's a bug
where the #! line has python3, but then it throws an exception. If you
run it with python2, it works.