[Yum] signing package-signing keys
Scott Lawrence
slawrence at pingtel.com
Fri Mar 4 17:20:02 UTC 2005
I'm looking for advise on best practices for setting up a repository
with respect to package signing.
Clearly, rpms should be signed by a key available from the repository
site. I plan to set up our web server so that the key is available only
via https, which makes it more difficult to spoof the server.
We plan to use a key that is maintained by the project itself - not any
individual persons key.
My question has to do with other measures to ensure the trust of that
key - do repository &| package maintainers generally sign the package-
signing keys with other keys to get it related to other trust networks?
--
Scott Lawrence
Consulting Engineer
Pingtel Corp.
http://www.pingtel.com/
+1.781.938.5306 x162
More information about the Yum
mailing list