Hi, I read http://www.stigviewer.com/check/RHEL-06-000008
The CentOS keys live in /etc/pki/rpm-gpg and when I run yum the first time I am asked if I want to accept the key. Alternatively I could import them manually with something like 'rpm --import /etc/pki/rpm-gpg/$key, maybe in the %post of a kickstart.
I am wondering why this import is not happening automatically at install time. There must be good reasons for that?
I am wondering why this import is not happening automatically at install time. There must be good reasons for that?
Anaconda doesn't actually carry out gpg checks... I think it had that added during the fedora 18/19 rewrite so EL7 might cover that but certain EL5 and EL6 won't have that ...
Since it doesn't do gpg checks I guess the rpm keys are never added as a result - as you say %post would resolve that ...
To maintain my systems I use Spacewalk and the kickstarts that are generated as part of that include importing of GPG keys listed in the spacewalk configuration...
On 13.Jun.2013, at 13:14, James Hogarth wrote:
I am wondering why this import is not happening automatically at install time. There must be good reasons for that?
Anaconda doesn't actually carry out gpg checks... I think it had that added during the fedora 18/19 rewrite so EL7 might cover that but certain EL5 and EL6 won't have that …
It makes sense then. Since anaconda does not check the signature of the centos-release rpm it can not ensure that the contained public key is not faked and leaves this exercise to the user.
I think I am getting a little confused about these trust things. How am *I* supposed to verify the validity of those public keys.
I think I am getting a little confused about these trust things.
How am *I* supposed to verify the validity of those public keys.
If you really want to be sure what you should do is compare them from your system to a trusted source such as the CentOS website, CentOS main repositories, CentOS IRC channel or here ;)
On 14.Jun.2013, at 13:20, James Hogarth wrote:
I think I am getting a little confused about these trust things.
How am *I* supposed to verify the validity of those public keys.
If you really want to be sure what you should do is compare them from your system to a trusted source such as the CentOS website, CentOS main repositories, CentOS IRC channel or here ;)
So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them
…snip # import the pgp key cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU -----BEGIN PGP PUBLIC KEY BLOCK----- shiny KEY GOES HERE -----END PGP PUBLIC KEY BLOCK----- GUGU
if [ $? == 0 ]; then rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 fi snap...
still not quite sure what to do if the key does not match in the previous comparison. however, here are the keys I know of and if someone keys does not match she might raise her hands.
(what is the RPM-GPG-KEY-CentOS-Security-6 key for?)
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) centos-6-key@centos.org Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6 pub 4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) centos-6-debug-key@centos.org Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6 pub 4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) centos-6-security-key@centos.org Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6 pub 4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) centos-6-testing-key@centos.org Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8
On 06/25/2013 10:38 AM, Markus Falb wrote:
On 14.Jun.2013, at 13:20, James Hogarth wrote:
I think I am getting a little confused about these trust things.
How am *I* supposed to verify the validity of those public keys.
If you really want to be sure what you should do is compare them from your system to a trusted source such as the CentOS website, CentOS main repositories, CentOS IRC channel or here ;)
So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them
…snip # import the pgp key cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU -----BEGIN PGP PUBLIC KEY BLOCK----- shiny KEY GOES HERE -----END PGP PUBLIC KEY BLOCK----- GUGU
if [ $? == 0 ]; then rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 fi snap...
still not quite sure what to do if the key does not match in the previous comparison. however, here are the keys I know of and if someone keys does not match she might raise her hands.
(what is the RPM-GPG-KEY-CentOS-Security-6 key for?)
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) centos-6-key@centos.org Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6 pub 4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) centos-6-debug-key@centos.org Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6 pub 4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) centos-6-security-key@centos.org Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F
# gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6 pub 4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) centos-6-testing-key@centos.org Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8
These match the ones I have used for the last 18 months.
On 06/13/2013 11:18 AM, Markus Falb wrote:
I am wondering why this import is not happening automatically at install time. There must be good reasons for that?
it boils down to how much trust you have in the install media. One school of thought is compromised media is going to be game over in many ways, other than just keys. While others consider keys to be yet-another barrier.
Keys are also published at the CentOS Mirrors, and the installer iso sum's published in the release notes. Both of these resources should be spread enough that using multiple sources, should help increase confidence levels.
- KB
-
James Hogarth -
Karanbir Singh -
Markus Falb -
Rob Kampen