[CentOS-devel] Re: Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 19:13:46 UTC 2008
Scott Silva <ssilva at sgvwater.com>

on 2/25/2008 10:40 AM Jeff Sheltren spake the following:
> On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:
>> Jeff Sheltren wrote:
>>> Hi, as a follow up to a conversation in #centos-devel, I'd like to 
>>> get input from the list on this issue.
>>> The question is where to point people, and tools like yum, for the 
>>> centos gpg key used to verify rpm signatures.  My opinion is that 
>>> pointing to the key in /etc/pki/ which gets installed by the 
>>> centos-release makes the most sense.  This is already installed 
>>> locally on any centos (-5) machine.  See ie. 
>>> http://bugs.centos.org/view.php?id=2419
>>> From a security standpoint, there are issues with either choice.  
>>> However, if your install media has been compromised, then there would 
>>> be many other ways to bypass the gpg checks rather than just changing 
>>> the gpg key from the centos-release package.  Pointing to a URL for 
>>> the gpg key opens up more security issues such as dns poisoning.
>>> -Jeff
>> I think that for the CentOS-Media.repo file that using the /etc/pki 
>> directory makes sense.
>> I STILL think pointing to the http://mirror.centos.org/ site is best 
>> for the web enabled CentOS-Base.repo file.
> Johnny, could you let us know your reasons for wanting to point to the 
> remote GPG key?
I would think if you could compromise the mirror dns list, you could have 
malicious rpm's signed by a malicious key, and have thousands of systems get 

MailScanner is like deodorant...
You hope everybody uses it, and
you notice quickly if they don't!!!!

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 250 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/ecd5da4a/attachment-0005.sig>