On 14.Jun.2013, at 13:20, James Hogarth wrote: > I think I am getting a little confused about these trust things. >> How am *I* supposed to verify the validity of those public keys. >> > > > If you really want to be sure what you should do is compare them from your > system to a trusted source such as the CentOS website, CentOS main > repositories, CentOS IRC channel or here ;) So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them …snip # import the pgp key cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU -----BEGIN PGP PUBLIC KEY BLOCK----- shiny KEY GOES HERE -----END PGP PUBLIC KEY BLOCK----- GUGU if [ $? == 0 ]; then rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 fi snap... still not quite sure what to do if the key does not match in the previous comparison. however, here are the keys I know of and if someone keys does not match she might raise her hands. (what is the RPM-GPG-KEY-CentOS-Security-6 key for?) # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key at centos.org> Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6 pub 4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) <centos-6-debug-key at centos.org> Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16 # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6 pub 4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) <centos-6-security-key at centos.org> Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6 pub 4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) <centos-6-testing-key at centos.org> Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8 -- Markus