[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 19:41:24 UTC 2008
Johnny Hughes <johnny at centos.org>

Jeff Sheltren wrote:
> On Feb 25, 2008, at 10:34 AM, Johnny Hughes wrote:
>> Jeff Sheltren wrote:
>>> Hi, as a follow up to a conversation in #centos-devel, I'd like to 
>>> get input from the list on this issue.
>>> The question is where to point people, and tools like yum, for the 
>>> centos gpg key used to verify rpm signatures.  My opinion is that 
>>> pointing to the key in /etc/pki/ which gets installed by the 
>>> centos-release makes the most sense.  This is already installed 
>>> locally on any centos (-5) machine.  See ie. 
>>> http://bugs.centos.org/view.php?id=2419
>>> From a security standpoint, there are issues with either choice.  
>>> However, if your install media has been compromised, then there would 
>>> be many other ways to bypass the gpg checks rather than just changing 
>>> the gpg key from the centos-release package.  Pointing to a URL for 
>>> the gpg key opens up more security issues such as dns poisoning.
>>> -Jeff
>> I think that for the CentOS-Media.repo file that using the /etc/pki 
>> directory makes sense.
>> I STILL think pointing to the http://mirror.centos.org/ site is best 
>> for the web enabled CentOS-Base.repo file.
> Johnny, could you let us know your reasons for wanting to point to the 
> remote GPG key?

We DON'T allow downloads of ISOs from centos.org servers due to 
bandwidth considerations.  It would be fairly easy to put out an ISO 
that had different RPMS and a different key.

Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose.

Since we do control the content of every mirror.centos.org server, we 
know that the key file is correct.  In order to make that key AND the 
RPMS be bad, they need a doctored CD *AND* they need to hijack our 
content by DNS poisoning or getting control of our servers.

I just think if you are using the internet anyway, why not also get the 
key from a known location.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 252 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/3911ce43/attachment-0005.sig>