[CentOS-devel] Signed repomd.xml.asc files for CentOS-6 and CentOS-7 (testing)

Johnny Hughes johnny at centos.org
Fri Apr 24 13:26:12 UTC 2015


On 04/14/2015 09:58 AM, Colin Walters wrote:
> On Tue, Apr 14, 2015, at 07:54 AM, Johnny Hughes wrote:
>> We are looking at the possibility of providing signed repomd.xml.asc
>> files for all CentOS controlled repos for CentOS-6 and CentOS-7.
> 
> For anyone who hasn't seen it, the TL;DR from:
> http://theupdateframework.com/
> is "GPG sign your repo metadata", so I'm glad we're doing this =)
> 
>> For CentOS-7:
>> repo_gpgcheck=1
>> baseurl=http://dev.centos.org/centos/7/updates/x86_64/
> 
> I tested this via "docker run --rm -ti centos bash", then editing
> the /etc/yum.repos.d file, and it worked.  I saw in strace that
> yum was at least downloading and trying to verify the signature.
> 
>> One thing we would like to figure out (and then tes)t is the ability to
>> somehow get this key to be added automatically via a kick start so that
>> one can use signed metadata for unattended installs.
> 
> GPG signatures and RPM and Anaconda has always been pretty broken, sadly:
> https://bugzilla.redhat.com/show_bug.cgi?id=998
> 
> (That's only "fixed" by not using GPG, but relying on TLS, which is very
>  much not the same thing.  It gets closer if you use "pinned TLS" i.e.
>  pre-specify a particular CA root instead of relying on ca-certificates)
> 
>> Without testing and feedback,  and possibly key auto import capability,
>> this proposal will likely go nowhere .. so if this is a feature that you
>> want, please test and provide feedback and help us find a solution for
>> auto import of the yum key.
> 
> Even if Anaconda doesn't support it, it's still possible for downstream
> users to manually enable in the repo file post installation.  Probably
> very few will, but at some point maybe Anaconda will learn GPG...

No real feedback with this except for Colin .. my understanding is lots
of people want this, where is the testing?

If we don't get any more feed back or help in adjusting this to
auto-import the key, then we will just start doing it as is in 2 weeks.
Now is the time to test and get your fixes in !

Thanks,
Johnny Hughes


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20150424/1a3e05a6/attachment.sig>


More information about the CentOS-devel mailing list