[Yum] gpg public keys

seth vidal skvidal at phy.duke.edu
Fri Mar 7 14:34:41 UTC 2003


> Is there any way to fully encapsulate gpg keychecking?  As in, have yum
> always check gpg signatures and never tell you about it unless they fail
> to match?  Or is there something chicken-and-eggish about this...

Chicken-and-eggish.

1. you don't know which keys to trust
2. you don't know where to get the keys necessarily
3. you never know what whack stuff get installed.


> Forgive me if it already does this.
> 
> As for output in yum list, a column with Y/N/NA in it for yes, gpg key
> checks, no it fails, or not applicable, no key available might be a
> decent option to have, as might a flag to tell it to list only packages
> whose key is n,na, or just n.  Those commands might play a useful role
> in a security audit or a what's wrote with this damn system audit,
> presuming of course that one can trust yum itself on a compromised
> system.
> 

Can't happen if you look at anaconda.

Anaconda can't check gpg sigs b/c it would have to know who to ask for
the keys, and it can't really do that. Additionally, we'd have to trust
all the pkgs already installed b/c afaict there is no way to check the
gpg sig of a package that is installed.

Right now with rpm 4.2 gpg key importing is trivial.

absolutely trivial. 

So there is little excuse for not grabbing a key and using it.

even if yum doesn't implement 'yum importkey' it's still a trivial
operation - literally one command with rpm.

-sv





More information about the Yum mailing list