[CentOS-devel] Checking signed repo metadata by default?

Thu Jan 12 16:51:03 UTC 2017
Laurentiu Pancescu <lpancescu at gmail.com>

On 12/01/17 16:16, Johnny Hughes wrote:
> On 01/06/2017 03:49 AM, Laurentiu Pancescu wrote:
>> Would it be ok in this form?  The only disadvantage I see is being asked
>> to trust the official CentOS key several times during the first "yum
>> update" (instead of just once).
>
> Right, the only real issue is more trust requests for the same key.

Then, which is the earliest time we could enable this?  7.4?

I tried to avoid the "importing key" prompt by importing the key in 
advance, according to the documentation I found:

# rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7
# rpm -qa gpg-pubkey*
gpg-pubkey-f4a80eb5-53a7ff4b
# rpm -qi gpg-pubkey-f4a80eb5-53a7ff4b
Name        : gpg-pubkey
Version     : f4a80eb5
Release     : 53a7ff4b
Architecture: (none)
Install Date: Thu 12 Jan 2017 04:16:24 PM UTC
Group       : Public Keys
Size        : 0
License     : pubkey
Signature   : (none)
Source RPM  : (none)
Build Date  : Mon 23 Jun 2014 10:19:55 AM UTC
Build Host  : localhost
Relocations : (not relocatable)
Packager    : CentOS-7 Key (CentOS 7 Official Signing Key) 
<security at centos.org>
Summary     : gpg(CentOS-7 Key (CentOS 7 Official Signing Key) 
<security at centos.org>)
Description : [skipped due to verbosity]

But I'm still asked during the first "yum update", several times for the 
same key - the fingerprint displayed during each prompt matches the key 
I had already imported.  Could anyone shed some light on what's going 
on?  Perhaps because we have a gpgkey setting in the .repo file?

Thanks,
Laurențiu