On Sat, Jan 21, 2012 at 2:48 PM, kachelaqa <kachelaqa@gmail.com> wrote:
On 21/01/12 19:57, Dan McGee wrote:
On Sat, Jan 21, 2012 at 12:45 PM, kachelaqa<kachelaqa@gmail.com> wrote:
I'm still trying to get to grips with package signing, so this question may not make complete sense, but:
Is there a way to check whether the signature was verified when a package was installed?
No. However, -Si shows the presence of a signature and the various checksums (MD5, SHA256) in the database.
Okay, thanks.
Can I ask why this is? I would have expected there to be a least a log message somewhere. It is a debug level message if one cares to look there. Obviously this isn't all that helpful for the general end user though.
ISTM that many users might want to know which installed packages on their systems have verified signatures, and which ones not. Would they be misguided in seeking that information? Not misguided, but not something we currently track or anything. I don't think we'd be against tracking this in some sort of %VERIFICATION% field or something in the database; this could store something like "md5", "sha256", "pgp", "none", etc. But it isn't something we are likely to sit down and code; patches definitely welcome.
-Dan