[Yum-devel] gpg key importing
Jeremy Katz
katzj at redhat.com
Mon Aug 30 15:49:13 UTC 2004
On Sun, 2004-08-29 at 23:44 -0400, seth vidal wrote:
> > The problem with all of these is that any "get the key from this URL"
> > thing is how can you trust that URL? If you don't trust where you're
> > downloading packages from, why can you trust a website where you pull a
> > key from in an automated fashion any more?
>
> Acknowledged, and yet how else do you get gpg keys installed?
>
> how does up2date do it on fedora core?
>
> how does anyone?
It depends on how rigorous you are about your security. I think that
blindly importing from a URL leads to an easy mitm attack. Including
"stock" keys in the package at least avoids that. It doesn't help with
third-party repositories, though.
up2date includes copies of the key(s) in the up2date package and then
imports them the first time it starts. Then you're only trusting the
up2date package (and it can be argued that if you don't trust the
up2date package you're using, that you're doomed anyway as it could have
trojan code to allow specific keys you haven't allowed through).
One thought if you did do importing from a URL would be to download the
key and then provide the fingerprint and require people to say "yes,
that's right". It doesn't help the automated use scenario of updating
nightly with -y, though.
Jeremy
More information about the Yum-devel
mailing list