On 06/25/2013 10:38 AM, Markus Falb wrote: > On 14.Jun.2013, at 13:20, James Hogarth wrote: > >> I think I am getting a little confused about these trust things. >>> How am *I* supposed to verify the validity of those public keys. >>> >> >> If you really want to be sure what you should do is compare them from your >> system to a trusted source such as the CentOS website, CentOS main >> repositories, CentOS IRC channel or here ;) > So I hardcode the keys in my %post and compare them to what was installed, instead of blindly importing them > > …snip > # import the pgp key > cmp /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 - <<GUGU > -----BEGIN PGP PUBLIC KEY BLOCK----- > shiny KEY GOES HERE > -----END PGP PUBLIC KEY BLOCK----- > GUGU > > if [ $? == 0 ]; then > rpm --import /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 > fi > snap... > > still not quite sure what to do if the key does not match in the previous comparison. > however, here are the keys I know of and if someone keys does not match she might raise her hands. > > (what is the RPM-GPG-KEY-CentOS-Security-6 key for?) > > # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-6 > pub 4096R/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key at centos.org> > Key fingerprint = C1DA C52D 1664 E8A4 386D BA43 0946 FCA2 C105 B9DE > > # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Debug-6 > pub 4096R/D0FF3D16 2011-07-03 CentOS-6 Debuginfo Key (CentOS-6 Debuginfo Signing Key) <centos-6-debug-key at centos.org> > Key fingerprint = 69B3 0F26 BA2B 3AA4 C27C E4F5 3B75 CF79 D0FF 3D16 > > # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Security-6 > pub 4096R/FE837F6F 2011-07-03 CentOS-6 Security Key (CentOS-6 Official Security Key) <centos-6-security-key at centos.org> > Key fingerprint = 0830 F43C 928A A5A8 A6F1 AF97 0B13 2C3F FE83 7F6F > > # gpg --with-fingerprint /etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-Testing-6 > pub 4096R/EF1D6DB8 2011-07-03 CentOS-6 Testing Key (CentOS-6 Test and Beta Signing Key) <centos-6-testing-key at centos.org> > Key fingerprint = 4233 9C29 8BC4 352C A4F9 7504 119C 1A87 EF1D 6DB8 These match the ones I have used for the last 18 months.