[CentOS-devel] RPM-GPG-KEY-CentOS-8

Sat Sep 28 08:35:00 UTC 2019
Markus Falb <markus.falb at fasel.at>

On 27.09.19 13:59, Ladar Levison via CentOS-devel wrote:
> On 9/25/19 11:47 PM, Leon Fauster via CentOS-devel wrote:
>>
>> So the only trusted source is https://www.centos.org/keys/ with
>> https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.
>>
> The key is also available on a system that has already been
> installed/setup, although the filename convention changed. Instead of:
> 
> /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-8

I want to cite what openbsd does
https://www.openbsd.org/papers/bsdcan-signify.html

...snip
After each release of OpenBSD, we generate a new key pair for the
release after next. That's plus two. For example, after 5.6 was
released, keys for 5.8 were generated. This way, the 5.8 keys are then
included in the 5.7 release.
...snap

In the CentOS world this could mean that CentOS 8 ships the key for
CentOS 9 although not released yet. Actually all valid keys even for
older releases could be in an rpm. rpm does check signatures, doesn't it?

hm. if I remember correctly, anaconda wasn't always that good on
checking signatures. At CentOS 6 times installs over the network did not
check them (please correct me if I am wrong) and thats why installs over
http were deprecated. I do not know if anaconda improved in 7 or 8, does
anyone know about this?

-- 
Kind Regards, Markus Falb