[原文]The default --checksig setting in RPM Package Manager 4.0.4 checks that a package's signature is valid without listing who signed it, which can allow remote attackers to make it appear that a malicious package comes from a trusted source.
By passing either '-v' or '-vv' to the rpm utility, detailed signature information will be displayed. Reportedly, the default behavior of the '-checksig' flag will be modified in RPM 4.1. Version 4.1 is currently under development. Currently we are not aware of any vendor-supplied patches for this issue. If you feel we are in error or are aware of more recent information, please mail us at: firstname.lastname@example.org .