[Yum] gpg public keys
skvidal at phy.duke.edu
Fri Mar 7 14:34:41 UTC 2003
> Is there any way to fully encapsulate gpg keychecking? As in, have yum
> always check gpg signatures and never tell you about it unless they fail
> to match? Or is there something chicken-and-eggish about this...
1. you don't know which keys to trust
2. you don't know where to get the keys necessarily
3. you never know what whack stuff get installed.
> Forgive me if it already does this.
> As for output in yum list, a column with Y/N/NA in it for yes, gpg key
> checks, no it fails, or not applicable, no key available might be a
> decent option to have, as might a flag to tell it to list only packages
> whose key is n,na, or just n. Those commands might play a useful role
> in a security audit or a what's wrote with this damn system audit,
> presuming of course that one can trust yum itself on a compromised
Can't happen if you look at anaconda.
Anaconda can't check gpg sigs b/c it would have to know who to ask for
the keys, and it can't really do that. Additionally, we'd have to trust
all the pkgs already installed b/c afaict there is no way to check the
gpg sig of a package that is installed.
Right now with rpm 4.2 gpg key importing is trivial.
So there is little excuse for not grabbing a key and using it.
even if yum doesn't implement 'yum importkey' it's still a trivial
operation - literally one command with rpm.
More information about the Yum