[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 20:47:35 UTC 2008
Peter Kjellstrom <cap at nsc.liu.se>

On Monday 25 February 2008, Johnny Hughes wrote:
> Jeff Sheltren wrote:
> > Johnny, could you let us know your reasons for wanting to point to the
> > remote GPG key?
> We DON'T allow downloads of ISOs from centos.org servers due to
> bandwidth considerations.  It would be fairly easy to put out an ISO
> that had different RPMS and a different key.
> Granted, people CAN check the md5 and sha1 sum of the ISOs if they choose.
> Since we do control the content of every mirror.centos.org server, we
> know that the key file is correct.  In order to make that key AND the
> RPMS be bad, they need a doctored CD *AND* they need to hijack our
> content by DNS poisoning or getting control of our servers.
> I just think if you are using the internet anyway, why not also get the
> key from a known location.

I agree that there's something intuitively right about that, but, 
unfortunately it's wrong :-)

Here's why.

We have to assume that the install the user has is intact and uncompromised. 
Why? Well, if it has been compromised in any way then not only could it 
contain a malicious /etc/pki, it could of course have different gpgkey= lines 
in the .repo files...

It will have to be up to the user to make sure (with our help, signed .isos, 
installers that check rpm signatures and stage2 signature) that he/she has an 
ok system. If they fail then they don't really run centos, they run haxx0r os 
and any attempt to validate anything inside that will fail.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/bae3752f/attachment-0005.sig>