I was validating a gpg key with following command.
rpm --checksig <rpm name> --nodigest
My rpm is signed with RSA/SHA256 algorithm.
The question is: Why my output has (md5) in it.
Output:rsa (md5) pgp OK
When i run the same command with -v (verbose) enabled, it has no mention of md5
Output:
Header V3 RSA/SHA256 Signature, key ID b1275ea3: OK
V3 RSA/SHA256 Signature, key ID b1275ea3: OK
When signatures were added to RPM last century, the only commonly available digital signature implementation was PGP (which at the time was RSA/MD5).
The terse form of rpm --checksig output was an early attempt to supply additional user information and added (md5) to the output.
The real flaw with rpm --checksig is that the output attempted to summarize very complex integrity checks within a single line using upper and lower case and parentheses, all of which is almost inscrutably nerdy.
Use -Kvv to see more useful details.