On 27.09.19 13:59, Ladar Levison via CentOS-devel wrote:
On 9/25/19 11:47 PM, Leon Fauster via CentOS-devel wrote:
So the only trusted source is https://www.centos.org/keys/ with https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.
The key is also available on a system that has already been installed/setup, although the filename convention changed. Instead of:
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-8
I want to cite what openbsd does https://www.openbsd.org/papers/bsdcan-signify.html
...snip After each release of OpenBSD, we generate a new key pair for the release after next. That's plus two. For example, after 5.6 was released, keys for 5.8 were generated. This way, the 5.8 keys are then included in the 5.7 release. ...snap
In the CentOS world this could mean that CentOS 8 ships the key for CentOS 9 although not released yet. Actually all valid keys even for older releases could be in an rpm. rpm does check signatures, doesn't it?
hm. if I remember correctly, anaconda wasn't always that good on checking signatures. At CentOS 6 times installs over the network did not check them (please correct me if I am wrong) and thats why installs over http were deprecated. I do not know if anaconda improved in 7 or 8, does anyone know about this?