[CentOS] yum/RPM and Trust on First Use

Sat Dec 19 01:34:32 UTC 2015
Karanbir Singh <mail-lists at karan.org>

On 16/12/15 03:05, Alice Wonder wrote:
> I'm not on the yum / RPM list and I don't know that I want to join just
> to discuss this but with respect GPG keys - it is a classic example of
> trust on first use.
> The first time yum installs a package, it asks to import the GPG key
> used to sign the packages. Most people accept without validating the key.

This is a huge issue, its something we've debated many times and I dont
think there is a clear answer, yet. At this point we have yum use the
gpg keys setup at install time, from the install media - it should not
be going over the wire to grab keys. And we sign the install media, and
its sha sum's - so uses can verify things.

the underlaying thinking being that if the install media is compromised,
anything it does and any content it grabs over the wire should be
considered potentially compromised - so enforce the idea of media test,
media validation, and deliver the first ring of trust via the media.

Having said that, your point about using DNS as a second way to verify
the keys is a good one, I believe its come up in the past as well. And
we have a todo item to get dnssec up for centos.org in the near future.
what I would recommend, is to open an issue report at bugs.centos.org/
to track this as a task.

As a related subject, we do push the main key fingerprints via https at


Karanbir Singh
+44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh
GnuPG Key : http://www.karan.org/publickey.asc