On 14.Jun.2013, at 13:20, James Hogarth wrote:
I think I am getting a little confused about these trust things.
How am *I* supposed to verify the validity of those public keys.
If you really want to be sure what you should do is compare them from your system to a trusted source such as the CentOS website, CentOS main repositories, CentOS IRC channel or here ;)
So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them
…snip # import the pgp key cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU -----BEGIN PGP PUBLIC KEY BLOCK----- shiny KEY GOES HERE -----END PGP PUBLIC KEY BLOCK----- GUGU
if [ $? == 0 ]; then rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 fi snap...
still not quite sure what to do if the key does not match in the previous comparison. however, here are the keys I know of and if someone keys does not match she might raise her hands.
(what is the RPM-GPG-KEY-CentOS-Security-6 key for?)
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) centos-6-key@centos.org Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6 pub 4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) centos-6-debug-key@centos.org Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6 pub 4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) centos-6-security-key@centos.org Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6 pub 4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) centos-6-testing-key@centos.org Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8