[CentOS] automatic import of rpm keys

Markus Falb wnefal at gmail.com
Fri Jun 14 11:14:50 UTC 2013


On 13.Jun.2013, at 13:14, James Hogarth wrote:

>> I am wondering why this import is not happening automatically at install
>> time. There must be good reasons for that?
>> 
>> 
> Anaconda doesn't actually carry out gpg checks... I think it had that added
> during the fedora 18/19 rewrite so EL7 might cover that but certain EL5 and
> EL6 won't have that …

It makes sense then. Since anaconda does not check the signature of the centos-release rpm it can not ensure that the contained public key is not faked and leaves this exercise to the user.

I think I am getting a little confused about these trust things.
How am *I* supposed to verify the validity of those public keys.

-- 
Markus


More information about the CentOS mailing list