Signed RPM Packages
devel at jasonwoods.me.uk
Fri May 16 18:16:35 CEST 2014
I followed installation at: https://www.varnish-cache.org/installation/redhat
But noticed that the GPG signature checking of the RPMs was not enabled, and the RPMs were transferred over plaintext HTTP!
I did re-enabled the signature checking but it seems none of the packages are actually signed.
Are there plans to sign the packages? As I'm unable to use them in this state.
I did find references to "signing corrupts the packages" - maybe I could offer help looking into the problem? It would be really useful to have them signed.
NB: It would be good for the installation page mentioned to also state the packages are not signed and transferred via HTTP. Just so one can make a judgement call, as at the moment it could easily be missed.
More information about the varnish-misc