We are looking at the possibility of providing signed repomd.xml.asc files for all CentOS controlled repos for CentOS-6 and CentOS-7.
I have created an update repository for CentOS-6 and CentOS-7 for testing. They are not going to be maintained current (and are already a couple of updates behind) and should *NOT* be used in production ... but if we can get some people to test these on some testing platforms that would be great:
http://dev.centos.org/centos/6/updates/x86_64/
http://dev.centos.org/centos/7/updates/x86_64/
Basically, to use signed metadata for these testing repos, you would need to modify the /etc/yum.repos.d/CentOS-Base.repo and do the following to the 'updates' section:
1. Remark out the current mirrorlist and/or baseurl statements.
2 Add the following:
For CentOS-6: repo_gpgcheck=1 baseurl=http://dev.centos.org/centos/6/updates/x86_64/
For CentOS-7: repo_gpgcheck=1 baseurl=http://dev.centos.org/centos/7/updates/x86_64/
================================ *DO NOT USE THESE REPOS FOR UPDATES LONG TERM, THEY ARE FOR TESTING ONLY* ================================
One thing we would like to figure out (and then tes)t is the ability to somehow get this key to be added automatically via a kick start so that one can use signed metadata for unattended installs.
Without testing and feedback, and possibly key auto import capability, this proposal will likely go nowhere .. so if this is a feature that you want, please test and provide feedback and help us find a solution for auto import of the yum key.
Thanks, Johnny Hughes
On Tue, Apr 14, 2015, at 07:54 AM, Johnny Hughes wrote:
We are looking at the possibility of providing signed repomd.xml.asc files for all CentOS controlled repos for CentOS-6 and CentOS-7.
For anyone who hasn't seen it, the TL;DR from: http://theupdateframework.com/ is "GPG sign your repo metadata", so I'm glad we're doing this =)
For CentOS-7: repo_gpgcheck=1 baseurl=http://dev.centos.org/centos/7/updates/x86_64/
I tested this via "docker run --rm -ti centos bash", then editing the /etc/yum.repos.d file, and it worked. I saw in strace that yum was at least downloading and trying to verify the signature.
One thing we would like to figure out (and then tes)t is the ability to somehow get this key to be added automatically via a kick start so that one can use signed metadata for unattended installs.
GPG signatures and RPM and Anaconda has always been pretty broken, sadly: https://bugzilla.redhat.com/show_bug.cgi?id=998
(That's only "fixed" by not using GPG, but relying on TLS, which is very much not the same thing. It gets closer if you use "pinned TLS" i.e. pre-specify a particular CA root instead of relying on ca-certificates)
Without testing and feedback, and possibly key auto import capability, this proposal will likely go nowhere .. so if this is a feature that you want, please test and provide feedback and help us find a solution for auto import of the yum key.
Even if Anaconda doesn't support it, it's still possible for downstream users to manually enable in the repo file post installation. Probably very few will, but at some point maybe Anaconda will learn GPG...
On 04/14/2015 09:58 AM, Colin Walters wrote:
On Tue, Apr 14, 2015, at 07:54 AM, Johnny Hughes wrote:
We are looking at the possibility of providing signed repomd.xml.asc files for all CentOS controlled repos for CentOS-6 and CentOS-7.
For anyone who hasn't seen it, the TL;DR from: http://theupdateframework.com/ is "GPG sign your repo metadata", so I'm glad we're doing this =)
For CentOS-7: repo_gpgcheck=1 baseurl=http://dev.centos.org/centos/7/updates/x86_64/
I tested this via "docker run --rm -ti centos bash", then editing the /etc/yum.repos.d file, and it worked. I saw in strace that yum was at least downloading and trying to verify the signature.
One thing we would like to figure out (and then tes)t is the ability to somehow get this key to be added automatically via a kick start so that one can use signed metadata for unattended installs.
GPG signatures and RPM and Anaconda has always been pretty broken, sadly: https://bugzilla.redhat.com/show_bug.cgi?id=998
(That's only "fixed" by not using GPG, but relying on TLS, which is very much not the same thing. It gets closer if you use "pinned TLS" i.e. pre-specify a particular CA root instead of relying on ca-certificates)
Without testing and feedback, and possibly key auto import capability, this proposal will likely go nowhere .. so if this is a feature that you want, please test and provide feedback and help us find a solution for auto import of the yum key.
Even if Anaconda doesn't support it, it's still possible for downstream users to manually enable in the repo file post installation. Probably very few will, but at some point maybe Anaconda will learn GPG...
No real feedback with this except for Colin .. my understanding is lots of people want this, where is the testing?
If we don't get any more feed back or help in adjusting this to auto-import the key, then we will just start doing it as is in 2 weeks. Now is the time to test and get your fixes in !
Thanks, Johnny Hughes
On 04/24/2015 02:26 PM, Johnny Hughes wrote:
No real feedback with this except for Colin .. my understanding is lots of people want this, where is the testing?
Since the change will not impact existing installs, and people have the opportunity to opt into getting secure content, verifyable end to end - I'd say lets go ahead and make this change.
- KB
On 04/24/2015 08:33 AM, Karanbir Singh wrote:
On 04/24/2015 02:26 PM, Johnny Hughes wrote:
No real feedback with this except for Colin .. my understanding is lots of people want this, where is the testing?
Since the change will not impact existing installs, and people have the opportunity to opt into getting secure content, verifyable end to end - I'd say lets go ahead and make this change.
- KB
Since we did not get any negative feedback or help in doing an auto-import feature for the key, this is now implemented as tested for CentOS-6 and CentOS-7.
Thanks, Johnny Hughes
On Wed, May 6, 2015, at 06:33 AM, Johnny Hughes wrote:
Since we did not get any negative feedback or help in doing an auto-import feature for the key, this is now implemented as tested for CentOS-6 and CentOS-7.
How long will this take to appear on http://mirror.centos.org/centos/7/os/x86_64/repodata/
Or am I looking in the wrong place?
On Thu, May 07, 2015 at 02:54:22PM -0400, Colin Walters wrote:
How long will this take to appear on http://mirror.centos.org/centos/7/os/x86_64/repodata/
Or am I looking in the wrong place?
I had thought signed repodata was currently for the updates repo only?
John
On 07/05/15 19:54, Colin Walters wrote:
On Wed, May 6, 2015, at 06:33 AM, Johnny Hughes wrote:
Since we did not get any negative feedback or help in doing an auto-import feature for the key, this is now implemented as tested for CentOS-6 and CentOS-7.
How long will this take to appear on http://mirror.centos.org/centos/7/os/x86_64/repodata/
Or am I looking in the wrong place?
we are not signing the OS tree metadata yet, since this represents an exact mirror of whats on the Everything ISO. The other repo's should get it right away, and we will try and get the OS content signed for the next release.
I have an issue filed against the test suite to make sure we get it done : https://github.com/CentOS/sig-core-t_functional/issues/1
- KB
-
Colin Walters -
John R. Dennison -
Johnny Hughes -
Karanbir Singh