When RPM experiences a signed package, with a signature that it does NOT know.
By default it will send the -fingerprint- (and only the 16 digit fingerprint)
to an external HKP server, trying to get the key down.
This is probably not a reasonable default behavior for the system to do,
instead it should simply fail the key lookup. If someone wants to enable the
HKP server it's easy enough to do by enabling the necessary macros.
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com> Signed-off-by: Roy Li <rongqing.li@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
