[CentOS-devel] RPM-GPG-KEY-CentOS-8

Wed Sep 25 18:17:12 UTC 2019
Leon Fauster <leonfauster at googlemail.com>

Hi All! Congratulations to the CentOS Team! Great handcraft! I am
impressed!

While trying to the verify the downloaded stuff - my mental questions got
answered by my self. So, no need to ask the list but this introspection
shows a hidden workflow that is not so streamlined, but very crucial. So, I
let it go ...

As mentioned I wanted to verify the downloaded stuff  and wonder where to
find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay
its here https://www.centos.org/keys/ and and the trust-level is based on
TLS.

But I still have some questions marks:

- We all use gpg2, right? So the/my first check will go through gnupg, but
GPG keyservers are not the first choice because everyone can upload keys
but there are some efforts to have the identities at least verified
https://keys.openpgp.org/about/news#2019-06-12-launch . Maybe a good idea
to have full key informations (verified) for all CENTOS-Keys also there?

so I switched to

- http://mirror.centos.org/centos/ via HTTP without TLS upgrade.
So, also not a source. Is it planned to lift this up to https-only?
BTW, no RPM-GPG-KEY-CentOS-8 under http://mirror.centos.org/centos/
Ah, its RPM-GPG-KEY-CentOS-Official (another flow break).

I ended up here

- WWW via TLS

  as mentioned above https://www.centos.org/keys/
  and https://wiki.centos.org/Download/Verify

while the latter suggest wget over http:// (I known the fingerprint is
https://wiki...-TLS protected). the wiki is still CentOS7 specific. From
the usability point of view there is a forced translation needed from the
user (my/users goal has CentOS8 as target).

So the only trusted source is https://www.centos.org/keys/ with
https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8.

Finally, this would speed up this crucial part of verifying to new distro
stuff (ISO etc.):

Suggestions: Generalized https://wiki.centos.org/Download/Verify content
and a included link to https://www.centos.org/keys/ (actually missing), and
the same URI could be added to the CHECKSUM.asc file. Maybe its also a good
best practice to have the fingerprints and the key files in two different
realms too?

BTW, the wiki search result for gpg, pgp or keys does not bring
"Download/Verify" as the first entry. Can this be upvoted or tagged?

Just thinking loud.
Thanks,
Leon
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20190925/d3d83f88/attachment-0007.html>