[CentOS-devel] Point yum repos to centos gpg key in /etc/pki/

Mon Feb 25 18:30:50 UTC 2008
Peter Kjellstrom <cap at nsc.liu.se>

On Monday 25 February 2008, Jeff Sheltren wrote:
> Hi, as a follow up to a conversation in #centos-devel, I'd like to get
> input from the list on this issue.
>
> The question is where to point people, and tools like yum, for the
> centos gpg key used to verify rpm signatures.  My opinion is that
> pointing to the key in /etc/pki/ which gets installed by the centos-
> release makes the most sense.  This is already installed locally on
> any centos (-5) machine.  See ie. http://bugs.centos.org/view.php?id=2419

I agree with using /etc/pki. The most important thing to change are the 
gpgkey= lines in our .repo files.

>  From a security standpoint, there are issues with either choice.

Something like this:
current way (www.centos.org) trusts: local machine, dns, centos.org
/etc/pki trusts: local machine

/Peter
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20080225/4d6135c8/attachment-0007.sig>