[Yum-devel] gpg key importing

Ryan Tomayko rtomayko at gmail.com
Mon Aug 30 15:53:48 UTC 2004


> The problem with all of these is that any "get the key from this URL"
> thing is how can you trust that URL?  If you don't trust where you're
> downloading packages from, why can you trust a website where you pull a
> key from in an automated fashion any more?

You'll have to forgive my lack of knowledge of GPG and how RPM
utilizes GPG keys but are the keys/certs signed by any kind of
authority? If so, it shouldn't matter where you get them from as long
as you can validate that they are signed by a trusted source.

Also, what about fedora.us? Does redhat sign the fedora.us cert or
certs of other repos?

IMO, this might be really useful for getting around this kind of
thing. Fedora could ship with some kind of trusted CA out of the box
and certs/keys signed by that CA could be validated as having the
identity claimed in the cert. Third party repositories could apply to
have their certs signed by redhat.

This doesn't necessary mean that a user should trust RPMs signed with
a key that is signed by redhat/fedora. It would be a mechanism for
validating identity only.

Pretty sure this should either be a.) happening now or b.) has been
kicked around before and was found to have some holes.

I'm a bit out of my realm of expertise here so forgive me if I'm not
making sense. My understanding of GPG and how it is used used by RPM
is limited but I have an okay understanding of public/private key
theory and practice in other areas.

Ryan


On Sun, 29 Aug 2004 23:42:52 -0400, Jeremy Katz <katzj at redhat.com> wrote:
> On Sat, 2004-08-28 at 19:33 -0400, seth vidal wrote:
> > I had a thought about gpg key importing.
> >
> > For vendors and folks packaging yum up, I thought about adding a file
> > in /etc/ of yum-keys.conf
> >
> > just a configparser file that stores keys
> [snip]
> > arguably you could run yum and if we find we need a key, we look it up,
> > and if it's in the conf file, then import it.
> >
> > or, alternatively.
> >
> > make the keyid an option for the repo stanza
> [snip]
> > now that doesn't really help if multiple keys are needed for a single
> > repo but...
> >
> > Thoughts?
> 
> The problem with all of these is that any "get the key from this URL"
> thing is how can you trust that URL?  If you don't trust where you're
> downloading packages from, why can you trust a website where you pull a
> key from in an automated fashion any more?
> 
> Jeremy
> 
> 
> 
> _______________________________________________
> Yum-devel mailing list
> Yum-devel at lists.linux.duke.edu
> https://lists.dulug.duke.edu/mailman/listinfo/yum-devel
>



More information about the Yum-devel mailing list