As example, for RPM's signed by RedHat the explanation and key are at
http://www.redhat.com/solutions/secu...publickey.html
XavierP wrote:
The rpm should still install and since you obviously trust the place the file came from I wouldn't worry about it.
The problem with propagating proper package signing is just this enduser behaviour. People tend to think just because it's from (what they think is) a "trustworthy" site it's good enough. Well, it just isn't from a security point of view. DNS takeovers aren't impossible and in the past download locations of OpenSSH, Sendmail, TCP wrappers, Aide etc etc where compromised, and that should make it clear packages w/o pubkey sign are NOT trustworthy, regardless of what you think the source is. And MD5summing packages is helpfull but not good enough. Until developers and distributors start taking a different approach towards security and will sign by default, installing a package will remain a risk.
Help turning that risk into an acceptable risk is everyone's responsability.