[CentOS-devel] Some way to validate SIG repo repodata (via HTTPS or GPG-signed repomd?)

Mon Feb 12 08:13:08 UTC 2018
Fabian Arrotin <arrfab at centos.org>

On 08/02/18 17:45, Neal Gompa wrote:
> Hey,
> 
> I've been trying to get the CentOS SIG repositories enabled in the
> openSUSE Build Service[1].
> 
> Today, I started working with Adrian Schröter (who is CC'd to this
> email) on getting this done, and the issue right now is that there's
> no way to securely validate the repodata.
> 
> OBS supports two ways:
> 
> 1. Validating repodata from a mirror using the copy on the master
> server fetched through HTTPS.
> 
> 2. Validating repodata through GPG-signed repodata (signed repomd.xml)
> 
> While the base repositories do the latter, none of the repositories
> produced through CBS do, and _nothing_ currently does the former.
> 
> Is there something that can be done to make this better so we can have
> nice things?
> 
> Best regards,
> Neal
> 
> [1]: https://progress.opensuse.org/issues/29568
> 

As option [2] is already in place for base distro (but not all arches),
maybe that's the way to do it for the other repositories (using
different GPG keys too).
@KB : is that something you can add in your script ?

-- 
Fabian Arrotin
The CentOS Project | https://www.centos.org
gpg key: 56BEC54E | twitter: @arrfab

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20180212/c5a0d933/attachment-0006.sig>