[CentOS-devel] Signed repomd.xml.asc files for CentOS-6 and CentOS-7 (testing)

Tue Apr 14 14:58:58 UTC 2015
Colin Walters <walters at verbum.org>

On Tue, Apr 14, 2015, at 07:54 AM, Johnny Hughes wrote:
> We are looking at the possibility of providing signed repomd.xml.asc
> files for all CentOS controlled repos for CentOS-6 and CentOS-7.

For anyone who hasn't seen it, the TL;DR from:
is "GPG sign your repo metadata", so I'm glad we're doing this =)

> For CentOS-7:
> repo_gpgcheck=1
> baseurl=http://dev.centos.org/centos/7/updates/x86_64/

I tested this via "docker run --rm -ti centos bash", then editing
the /etc/yum.repos.d file, and it worked.  I saw in strace that
yum was at least downloading and trying to verify the signature.

> One thing we would like to figure out (and then tes)t is the ability to
> somehow get this key to be added automatically via a kick start so that
> one can use signed metadata for unattended installs.

GPG signatures and RPM and Anaconda has always been pretty broken, sadly:

(That's only "fixed" by not using GPG, but relying on TLS, which is very
 much not the same thing.  It gets closer if you use "pinned TLS" i.e.
 pre-specify a particular CA root instead of relying on ca-certificates)

> Without testing and feedback,  and possibly key auto import capability,
> this proposal will likely go nowhere .. so if this is a feature that you
> want, please test and provide feedback and help us find a solution for
> auto import of the yum key.

Even if Anaconda doesn't support it, it's still possible for downstream
users to manually enable in the repo file post installation.  Probably
very few will, but at some point maybe Anaconda will learn GPG...