Hi All! Congratulations to the CentOS Team! Great handcraft! I am impressed!
While trying to the verify the downloaded stuff - my mental questions got answered by my self. So, no need to ask the list but this introspection shows a hidden workflow that is not so streamlined, but very crucial. So, I let it go ...
As mentioned I wanted to verify the downloaded stuff and wonder where to find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay its here
https://www.centos.org/keys/ and and the trust-level is based on TLS.
But I still have some questions marks:
- We all use gpg2, right? So the/my first check will go through gnupg, but GPG keyservers are not the first choice because everyone can upload keys but there are some efforts to have the identities at least verified
https://keys.openpgp.org/about/news#2019-06-12-launch . Maybe a good idea to have full key informations (verified) for all CENTOS-Keys also there?
so I switched to
So, also not a source. Is it planned to lift this up to https-only?
Ah, its RPM-GPG-KEY-CentOS-Official (another flow break).
I ended up here
- WWW via TLS
while the latter suggest wget over http:// (I known the fingerprint is
https://wiki...-TLS protected). the wiki is still CentOS7 specific. From the usability point of view there is a forced translation needed from the user (my/users goal has CentOS8 as target).
Finally, this would speed up this crucial part of verifying to new distro stuff (ISO etc.):
BTW, the wiki search result for gpg, pgp or keys does not bring "Download/Verify" as the first entry. Can this be upvoted or tagged?
Just thinking loud.
Thanks,
Leon