[CentOS-devel] repo_gpgcheck for centos repos?

Fri Sep 4 15:36:08 UTC 2020
Leon Fauster <leonfauster at googlemail.com>

Am 04.09.20 um 16:08 schrieb Johnny Hughes:
> On 9/3/20 2:40 PM, Leon Fauster via CentOS-devel wrote:
>> Hi,
>>
>> I wonder if it would be not beneficial enabling repo_gpgcheck for all
>> centos repos?  A short cross check shows that also SIG repos have
>> repomd.xml signed. mirror.centos.org has no TLS enabled and
>> repo_gpgcheck would add an additional security layer per default?
>> This could be started for EL8? Or are there any barries?
>>
>> -- 
> 
> It is on almost all repos ..
> 
> C6, c7, and c8
> 
> The reason mirror.centos.org is not https is many machines are donated
> .. and could be taken away 9reclaimed) by the donors, who have physical
> control of the machines.  We don't want 'private' keys on those donated
> machines and the reason we created repo_gpgcheck repos.

Sure, this applies to TLS. Therefore I was suggesting to enable
repo_gpgcheck for all CentOS repos in the _configuration files_.
The default is false or are they enabled elsewhere?

# grep repo_gpgcheck /etc/yum.repos.d/C*
# echo $?
1

--
Leon