On Tue, 8 Sep 2020, Leon Fauster via CentOS-devel wrote: > I remember asking somewhere, if the integrity in generall gets checked > (anaconda or kickstart list) but got no feedback. > > JFI: https://bugzilla.redhat.com/show_bug.cgi?id=998 To what end other than exercising electrons without adding certainty of more security ? Just for the record, how do you propose to solve the MitM attack by Dr Evil substituting in a fraudulent set of signing key and 'gimmicked' rpm binary, which will cheerfully report 'all is well', post install [1] The only way I know of is taking a couple of sums, and human sight checking them against an authoritative signed set from upstream, at install time, and every time tehreafter, rather than relying on a stored key .... but as the recent grub2 chain vulnerability indicates, a later update can compromise even seemingly cryptographiceally secured boot chains, and sneak exploited execulables in -- Russ herrold [1] trap doored binaries RPM signed and released to distribution https://access.redhat.com/errata/RHSA-2008:0855