Hi All! Congratulations to the CentOS Team! Great handcraft! I am impressed!
While trying to the verify the downloaded stuff - my mental questions got answered by my self. So, no need to ask the list but this introspection shows a hidden workflow that is not so streamlined, but very crucial. So, I let it go ...
As mentioned I wanted to verify the downloaded stuff and wonder where to find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay its here https://www.centos.org/keys/ and and the trust-level is based on TLS.
But I still have some questions marks:
- We all use gpg2, right? So the/my first check will go through gnupg, but GPG keyservers are not the first choice because everyone can upload keys but there are some efforts to have the identities at least verified https://keys.openpgp.org/about/news#2019-06-12-launch . Maybe a good idea to have full key informations (verified) for all CENTOS-Keys also there?
so I switched to
- http://mirror.centos.org/centos/ via HTTP without TLS upgrade. So, also not a source. Is it planned to lift this up to https-only? BTW, no RPM-GPG-KEY-CentOS-8 under http://mirror.centos.org/centos/ Ah, its RPM-GPG-KEY-CentOS-Official (another flow break).
I ended up here
- WWW via TLS
as mentioned above https://www.centos.org/keys/ and https://wiki.centos.org/Download/Verify
while the latter suggest wget over http:// (I known the fingerprint is https://wiki...-TLS protected). the wiki is still CentOS7 specific. From the usability point of view there is a forced translation needed from the user (my/users goal has CentOS8 as target).
So the only trusted source is https://www.centos.org/keys/ with https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.
Finally, this would speed up this crucial part of verifying to new distro stuff (ISO etc.):
Suggestions: Generalized https://wiki.centos.org/Download/Verify content and a included link to https://www.centos.org/keys/ (actually missing), and the same URI could be added to the CHECKSUM.asc file. Maybe its also a good best practice to have the fingerprints and the key files in two different realms too?
BTW, the wiki search result for gpg, pgp or keys does not bring "Download/Verify" as the first entry. Can this be upvoted or tagged?
Just thinking loud. Thanks, Leon
On 9/25/19 11:47 PM, Leon Fauster via CentOS-devel wrote:
So the only trusted source is https://www.centos.org/keys/ with https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.
The key is also available on a system that has already been installed/setup, although the filename convention changed. Instead of:
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-8
It is actually:
/etc/pki/rpm-gpg/RPM-GPG-KEY-centosofficial
Which I'll include here for posterity:
-----BEGIN PGP PUBLIC KEY BLOCK----- Version: GnuPG v2.0.22 (GNU/Linux)
mQINBFzMWxkBEADHrskpBgN9OphmhRkc7P/YrsAGSvvl7kfu+e9KAaU6f5MeAVyn rIoM43syyGkgFyWgjZM8/rur7EMPY2yt+2q/1ZfLVCRn9856JqTIq0XRpDUe4nKQ 8BlA7wDVZoSDxUZkSuTIyExbDf0cpw89Tcf62Mxmi8jh74vRlPy1PgjWL5494b3X 5fxDidH4bqPZyxTBqPrUFuo+EfUVEqiGF94Ppq6ZUvrBGOVo1V1+Ifm9CGEK597c aevcGc1RFlgxIgN84UpuDjPR9/zSndwJ7XsXYvZ6HXcKGagRKsfYDWGPkA5cOL/e f+yObOnC43yPUvpggQ4KaNJ6+SMTZOKikM8yciyBwLqwrjo8FlJgkv8Vfag/2UR7 JINbyqHHoLUhQ2m6HXSwK4YjtwidF9EUkaBZWrrskYR3IRZLXlWqeOi/+ezYOW0m vufrkcvsh+TKlVVnuwmEPjJ8mwUSpsLdfPJo1DHsd8FS03SCKPaXFdD7ePfEjiYk nHpQaKE01aWVSLUiygn7F7rYemGqV9Vt7tBw5pz0vqSC72a5E3zFzIIuHx6aANry Gat3aqU3qtBXOrA/dPkX9cWE+UR5wo/A2UdKJZLlGhM2WRJ3ltmGT48V9CeS6N9Y m4CKdzvg7EWjlTlFrd/8WJ2KoqOE9leDPeXRPncubJfJ6LLIHyG09h9kKQARAQAB tDpDZW50T1MgKENlbnRPUyBPZmZpY2lhbCBTaWduaW5nIEtleSkgPHNlY3VyaXR5 QGNlbnRvcy5vcmc+iQI3BBMBAgAhBQJczFsZAhsDBgsJCAcDAgYVCAIJCgsDFgIB Ah4BAheAAAoJEAW1VbOEg8ZdjOsP/2ygSxH9jqffOU9SKyJDlraL2gIutqZ3B8pl Gy/Qnb9QD1EJVb4ZxOEhcY2W9VJfIpnf3yBuAto7zvKe/G1nxH4Bt6WTJQCkUjcs N3qPWsx1VslsAEz7bXGiHym6Ay4xF28bQ9XYIokIQXd0T2rD3/lNGxNtORZ2bKjD vOzYzvh2idUIY1DgGWJ11gtHFIA9CvHcW+SMPEhkcKZJAO51ayFBqTSSpiorVwTq a0cB+cgmCQOI4/MY+kIvzoexfG7xhkUqe0wxmph9RQQxlTbNQDCdaxSgwbF2T+gw byaDvkS4xtR6Soj7BKjKAmcnf5fn4C5Or0KLUqMzBtDMbfQQihn62iZJN6ZZ/4dg q4HTqyVpyuzMXsFpJ9L/FqH2DJ4exGGpBv00ba/Zauy7GsqOc5PnNBsYaHCply0X 407DRx51t9YwYI/ttValuehq9+gRJpOTTKp6AjZn/a5Yt3h6jDgpNfM/EyLFIY9z V6CXqQQ/8JRvaik/JsGCf+eeLZOw4koIjZGEAg04iuyNTjhx0e/QHEVcYAqNLhXG rCTTbCn3NSUO9qxEXC+K/1m1kaXoCGA0UWlVGZ1JSifbbMx0yxq/brpEZPUYm+32 o8XfbocBWljFUJ+6aljTvZ3LQLKTSPW7TFO+GXycAOmCGhlXh2tlc6iTc41PACqy yy+mHmSv =kkH7 -----END PGP PUBLIC KEY BLOCK-----
L~
On 27.09.19 13:59, Ladar Levison via CentOS-devel wrote:
On 9/25/19 11:47 PM, Leon Fauster via CentOS-devel wrote:
So the only trusted source is https://www.centos.org/keys/ with https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.
The key is also available on a system that has already been installed/setup, although the filename convention changed. Instead of:
/etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-8
I want to cite what openbsd does https://www.openbsd.org/papers/bsdcan-signify.html
...snip After each release of OpenBSD, we generate a new key pair for the release after next. That's plus two. For example, after 5.6 was released, keys for 5.8 were generated. This way, the 5.8 keys are then included in the 5.7 release. ...snap
In the CentOS world this could mean that CentOS 8 ships the key for CentOS 9 although not released yet. Actually all valid keys even for older releases could be in an rpm. rpm does check signatures, doesn't it?
hm. if I remember correctly, anaconda wasn't always that good on checking signatures. At CentOS 6 times installs over the network did not check them (please correct me if I am wrong) and thats why installs over http were deprecated. I do not know if anaconda improved in 7 or 8, does anyone know about this?
Dne 25. 09. 19 v 20:17 Leon Fauster via CentOS-devel napsal(a):
As mentioned I wanted to verify the downloaded stuff and wonder where to find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay its here https://www.centos.org/keys/ and and the trust-level is based on TLS.
In package distribution-gpg-keys, which is available on all Fedora and in EPEL.
Am 03.10.19 um 08:27 schrieb Miroslav Suchý:
Dne 25. 09. 19 v 20:17 Leon Fauster via CentOS-devel napsal(a):
As mentioned I wanted to verify the downloaded stuff and wonder where to find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay its here https://www.centos.org/keys/ and and the trust-level is based on TLS.
In package distribution-gpg-keys, which is available on all Fedora and in EPEL.
This addresses exactly my need to check ahead the integrity of the media. Thanks to pointing me to this package!
Cheers, Leon
-
Ladar Levison -
Leon Fauster -
Markus Falb -
Miroslav Suchý