In the upcoming spring release of Fedora Linux 44, there is a plan to include default package checking against digital signatures in RPM. This means that only packages with the correct digital signature will be able to be installed by default. The approval of this plan rests with the FESCo (Fedora Engineering Steering Committee), which oversees the technical aspects of Fedora Linux development. If users need to manually install packages, they can bypass verification by explicitly running RPM with the “–nosignature” flag or by disabling verification using the corresponding API.
The functionality to verify packages by digital signature was introduced in the RPM 6.0 package manager. However, in Fedora 43, despite the transition to RPM 6, only hash integrity checks were being used at the RPM level. The authenticity of packages from repositories was being verified at a higher level by package managers YUM and DNF, which had the ability to verify digital signatures enabled by default. The plan now is to implement a similar check at the RPM level in Fedora 44. This means that when installing packages via RPM, both hash integrity checks and digital signature authentication verified by the package’s builder key will be performed.
If a user attempts to install packages without a signature or with an incorrect signature, an error will be generated by default – unless the user has explicitly run RPM with the “–nosignature” flag. The DNF 5.2.14.0 package manager has introduced the ability to selectively disable RPM verification for individual packages, particularly useful for working with external repositories that do not provide digital signatures. This feature is enabled in the Mock toolkit (mock-core-configs) for new package builds. Additionally, Mock now includes a plugin for generating signatures for locally collected packages, and the service Copr (Community projects) has automated the process of generating signatures.