Hi All! Congratulations to the CentOS Team! Great handcraft! I am impressed! While trying to the verify the downloaded stuff - my mental questions got answered by my self. So, no need to ask the list but this introspection shows a hidden workflow that is not so streamlined, but very crucial. So, I let it go ... As mentioned I wanted to verify the downloaded stuff and wonder where to find a trusted source for the RPM-GPG-KEY-CentOS-8 key file (yes, -8)? Okay its here https://www.centos.org/keys/ and and the trust-level is based on TLS. But I still have some questions marks: - We all use gpg2, right? So the/my first check will go through gnupg, but GPG keyservers are not the first choice because everyone can upload keys but there are some efforts to have the identities at least verified https://keys.openpgp.org/about/news#2019-06-12-launch . Maybe a good idea to have full key informations (verified) for all CENTOS-Keys also there? so I switched to - http://mirror.centos.org/centos/ via HTTP without TLS upgrade. So, also not a source. Is it planned to lift this up to https-only? BTW, no RPM-GPG-KEY-CentOS-8 under http://mirror.centos.org/centos/ Ah, its RPM-GPG-KEY-CentOS-Official (another flow break). I ended up here - WWW via TLS as mentioned above https://www.centos.org/keys/ and https://wiki.centos.org/Download/Verify while the latter suggest wget over http:// (I known the fingerprint is https://wiki...-TLS protected). the wiki is still CentOS7 specific. From the usability point of view there is a forced translation needed from the user (my/users goal has CentOS8 as target). So the only trusted source is https://www.centos.org/keys/ with https://www.centos.org/keys/RPM-GPG-KEY-CentOS-Official for CentOS8. Finally, this would speed up this crucial part of verifying to new distro stuff (ISO etc.): Suggestions: Generalized https://wiki.centos.org/Download/Verify content and a included link to https://www.centos.org/keys/ (actually missing), and the same URI could be added to the CHECKSUM.asc file. Maybe its also a good best practice to have the fingerprints and the key files in two different realms too? BTW, the wiki search result for gpg, pgp or keys does not bring "Download/Verify" as the first entry. Can this be upvoted or tagged? Just thinking loud. Thanks, Leon -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.centos.org/pipermail/centos-devel/attachments/20190925/d3d83f88/attachment-0007.html>