[Yum] signing package-signing keys

Scott Lawrence slawrence at pingtel.com
Fri Mar 4 17:20:02 UTC 2005


I'm looking for advise on best practices for setting up a repository
with respect to package signing.

Clearly, rpms should be signed by a key available from the repository
site.  I plan to set up our web server so that the key is available only
via https, which makes it more difficult to spoof the server.

We plan to use a key that is maintained by the project itself - not any
individual persons key.  

My question has to do with other measures to ensure the trust of that
key - do repository &| package maintainers generally sign the package-
signing keys with other keys to get it related to other trust networks?

-- 
Scott Lawrence
Consulting Engineer
Pingtel Corp.
http://www.pingtel.com/
+1.781.938.5306 x162





More information about the Yum mailing list