Signed RPM Packages

Jason Woods devel at jasonwoods.me.uk
Fri May 16 18:16:35 CEST 2014


Hi,

I followed installation at: https://www.varnish-cache.org/installation/redhat

But noticed that the GPG signature checking of the RPMs was not enabled, and the RPMs were transferred over plaintext HTTP!
I did re-enabled the signature checking but it seems none of the packages are actually signed.

Are there plans to sign the packages? As I'm unable to use them in this state.
I did find references to "signing corrupts the packages" - maybe I could offer help looking into the problem? It would be really useful to have them signed.

NB: It would be good for the installation page mentioned to also state the packages are not signed and transferred via HTTP. Just so one can make a judgement call, as at the moment it could easily be missed.

Thanks!

Jason


More information about the varnish-misc mailing list