[CentOS-devel] Checking signed repo metadata by default?
Laurentiu Pancescu
lpancescu at gmail.com
Thu Jan 12 16:51:03 UTC 2017
On 12/01/17 16:16, Johnny Hughes wrote:
> On 01/06/2017 03:49 AM, Laurentiu Pancescu wrote:
>> Would it be ok in this form? The only disadvantage I see is being asked
>> to trust the official CentOS key several times during the first "yum
>> update" (instead of just once).
>
> Right, the only real issue is more trust requests for the same key.
Then, which is the earliest time we could enable this? 7.4?
I tried to avoid the "importing key" prompt by importing the key in
advance, according to the documentation I found:
# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# rpm -qa gpg-pubkey*
gpg-pubkey-f4a80eb5-53a7ff4b
# rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
Name : gpg-pubkey
Version : f4a80eb5
Release : 53a7ff4b
Architecture: (none)
Install Date: Thu 12 Jan 2017 04:16:24 PM UTC
Group : Public Keys
Size : 0
License : pubkey
Signature : (none)
Source RPM : (none)
Build Date : Mon 23 Jun 2014 10:19:55 AM UTC
Build Host : localhost
Relocations : (not relocatable)
Packager : CentOS-7 Key (CentOS 7 Official Signing Key)
<security at centos.org>
Summary : gpg(CentOS-7 Key (CentOS 7 Official Signing Key)
<security at centos.org>)
Description : [skipped due to verbosity]
But I'm still asked during the first "yum update", several times for the
same key - the fingerprint displayed during each prompt matches the key
I had already imported. Could anyone shed some light on what's going
on? Perhaps because we have a gpgkey setting in the .repo file?
Thanks,
Laurențiu
More information about the CentOS-devel
mailing list