On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:
I just installed the latest Centos and Yum keeps reporting that the correct GPG key are not installed. How do I install them?
rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
It's a common question. We need to do a better job of making the solution known.
now present at: http://caosity.org/index.php?option=faq&task=viewfaq&artid=24&It...
-- Russ Herrold
R P Herrold wrote:
On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:
It's a common question. We need to do a better job of making the solution known.
I am new to CentOS and must say that I am very happy with it! This being said: I did have the same problem, and some Googling showed me the way.
now present at: http://caosity.org/index.php?option=faq&task=viewfaq&artid=24&It...
Well maintained FAQ's are vital to keep the same questions from reappearing on the list time and time again. I can speak from the experience I have built up by my (very modest) contributions to Nagios (http://www.nagios.org) and it's mailing lists.
Ethan -lead developer- of Nagios has created a FAQ system that allows users to send in FAQ's (together with the answer). It is moderated, so they only appear on the FAQ listings when he has reveiwed them. It has a search function as well (something which is lacking on the CentOS FAQ's IIRC).
Another good thing would be a search function for the mailing list archives. I have looked for one, but haven't found it so far.
I hope my remarks are not being seen as bad criticism, but as constructive ;-)
Keep up the good work with CentOS!
Kind regards, Tom
On Mon, 26 Apr 2004, R P Herrold wrote:
On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:
I just installed the latest Centos and Yum keeps reporting that the correct GPG key are not installed. How do I install them?
rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
It's a common question. We need to do a better job of making the solution known.
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Lance
On Tue, 2004-04-27 at 06:31, Lance Davis wrote:
On Mon, 26 Apr 2004, R P Herrold wrote:
On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:
I just installed the latest Centos and Yum keeps reporting that the correct GPG key are not installed. How do I install them?
rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
It's a common question. We need to do a better job of making the solution known.
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Lance
I just did a search of all RPM-GPG-KEY* files on my CentOS 3.1 install and none of the ones I found match http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
You might consider at least putting the key in /usr/share/rhn.
Johnny Hughes wrote:
I just did a search of all RPM-GPG-KEY* files on my CentOS 3.1 install and none of the ones I found match http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
Confirmed -- CentOS3 install does not put the GPG keys anywhere on the disk, it requires you to go digging around. In contrast, RHEL3 places theirs on disk, and the first time you run up2date it tells you the exact command needed to continue (just did another RHEL3 install yesterday).
Not sure if that can be done with yum, but sure would be handy. Saves a bunch of time digging around for a) the command, and b) where the key got installed.
-te
On Tue, 27 Apr 2004, Troy Engel wrote:
Johnny Hughes wrote:
I just did a search of all RPM-GPG-KEY* files on my CentOS 3.1 install and none of the ones I found match http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
Confirmed -- CentOS3 install does not put the GPG keys anywhere on the disk, it requires you to go digging around. In contrast, RHEL3 places theirs on disk, and the first time you run up2date it tells you the exact command needed to continue (just did another RHEL3 install yesterday).
The required GPG_KEY files are on the disk 1 iso .
I dont know why they dont get installed ...
Not sure if that can be done with yum, but sure would be handy. Saves a bunch of time digging around for a) the command, and b) where the key got installed.
We may modify yum to show where the files are.
Regards Lance
On Tue, 2004-04-27 at 17:23, Lance Davis wrote:
On Tue, 27 Apr 2004, Troy Engel wrote:
Johnny Hughes wrote:
I just did a search of all RPM-GPG-KEY* files on my CentOS 3.1 install and none of the ones I found match http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
Confirmed -- CentOS3 install does not put the GPG keys anywhere on the disk, it requires you to go digging around. In contrast, RHEL3 places theirs on disk, and the first time you run up2date it tells you the exact command needed to continue (just did another RHEL3 install yesterday).
The required GPG_KEY files are on the disk 1 iso .
I dont know why they dont get installed ...
Not sure if that can be done with yum, but sure would be handy. Saves a bunch of time digging around for a) the command, and b) where the key got installed.
We may modify yum to show where the files are.
Don't get me wrong ... it only took me a couple seconds to find the file. But that is because I've done this before...It might be quite hard for someone who is fairly new to Linux.
Regards Lance
On Tue, 27 Apr 2004, Johnny Hughes wrote:
On Tue, 2004-04-27 at 06:31, Lance Davis wrote:
On Mon, 26 Apr 2004, R P Herrold wrote:
On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:
I just installed the latest Centos and Yum keeps reporting that the correct GPG key are not installed. How do I install them?
rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
It's a common question. We need to do a better job of making the solution known.
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Lance
I just did a search of all RPM-GPG-KEY* files on my CentOS 3.1 install and none of the ones I found match http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3
You might consider at least putting the key in /usr/share/rhn.
The key is on the disk 1 iso - I think there is a bug that it doesnt get installed into the rpm db , which is where it needs to be ...
Regards Lance
On Tue, 27 Apr 2004, Lance Davis wrote:
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Two schools of thought there -- When doing a local RO media install, one assumedly trusts the media to not have been tampered with, and it should be added [the use of the media is a manual act of trust]; when doing a wire install, unless there is an prior affirmative act on the chain of trust [manual installation of the key from a trusted source], it is probably reasonable to not do (rpm as a matter of strict policy runs without user intervention).
Once an initial trusted key is installed, supplemental keys may be managed under the rpm packaging mechanism (an approach with %pre/%post script management comes to mind). This is because the later keying packages would be oversigned with a key properly on the keychain. Expirations and revocations can then also be handled more cleanly. (This is the relaxed school)
Othres feel: By rights, really, rpm should not receive an import of a key without a mechanism for preventing a hostile insertion -- such as a passphrase -- but the counter argument is that as only 'root' has RW access on the relevant file, if the attacker already has root rights, they could sniff the needed passphrase to do so.
The contrary school is the GPG passphrase school, which adds the supplemental protection anyway. (This is the tin foil hat school.)
-- Russ Herrold
On Tue, 27 Apr 2004, R P Herrold wrote:
On Tue, 27 Apr 2004, Lance Davis wrote:
I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ...
Two schools of thought there -- When doing a local RO media install, one assumedly trusts the media to not have been tampered with, and it should be added [the use of the media is a manual act of trust]; when doing a wire install, unless there is an prior affirmative act on the chain of trust [manual installation of the key from a trusted source], it is probably reasonable to not do (rpm as a matter of strict policy runs without user intervention).
But surely - if the key is not the correct one - ie is a trojan, then the packages may also have been signed with the trojanned key anyway - because they are being downloaded from the same source .....
The key should really not be sourced from a mirror I guess, only from the root repo, or the key md5sum should be checked . ???
Lance
On Wed, 28 Apr 2004, Lance Davis wrote:
But surely - if the key is not the correct one - ie is a trojan, then the packages may also have been signed with the trojanned key anyway - because they are being downloaded from the same source .....
The key should really not be sourced from a mirror I guess, only from the root repo, or the key md5sum should be checked . ???
well, yes -- I did not want to publicly point out that if the mirror is compromise, we are toast anyway with the present setup.
I have been thinking about trust and how to get more of it in you keying. My post was in part to talk through the issue, to see if something obvious to solve the problem would appear -- ultimately, there has to be at least one manual operation, or a publicly countersigned (as by a external CA) to get past the problem.
-- Russ
-
Johnny Hughes -
Lance Davis -
R P Herrold -
Tom DE BLENDE (GCC) -
Troy Engel