26 Jan
2017
26 Jan
'17
9:30 p.m.
On 01/26/2017 12:14 PM, Johnny Hughes wrote:
The testing RPMs are not signed .. they are straight from CBS. Does the testing repo not have 'gpgcheck=0'?
Ok, thanks. Given the level of system interaction that qemu/kvm has, it would be an ideal vector for malware, and package signing prevents this. My copy of the repo file has the following: +++++++++++ [centos-qemu-ev-test] name=CentOS-$releasever - QEMU EV Testing baseurl=http://buildlogs.centos.org/centos/$releasever/virt/$basearch/kvm-common/ gpgcheck=1 enabled=0 gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-SIG-Virtualization