Signed RPM Packages

Per Buer perbu at
Fri May 16 19:55:30 CEST 2014

Hi Jason,

On Fri, May 16, 2014 at 6:16 PM, Jason Woods <devel at> wrote:

> Hi,
> I followed installation at:
> But noticed that the GPG signature checking of the RPMs was not enabled,
> and the RPMs were transferred over plaintext HTTP!
> I did re-enabled the signature checking but it seems none of the packages
> are actually signed.

The repo does talk HTTPS at this point so you can switch to SSL, giving you
transport level security at least.

Are there plans to sign the packages? As I'm unable to use them in this
> state.
> I did find references to "signing corrupts the packages" - maybe I could
> offer help looking into the problem? It would be really useful to have them
> signed.

Last time it was enabled we have spurious corruption of the whole RPM
database when the packages where installed. Nobody ever managed to actually
track this down and we left out the signing.

Lasse might have more information wrt to the state of the packages right
now. I know he has been working on the RPMs quite a bit lately.


 <> *Per Buer*
CTO | Varnish Software
Phone: +47 958 39 117 | Skype: per.buer
We Make Websites Fly!

Winner of the Red Herring Top 100 Global Award 2013
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the varnish-misc mailing list