[CentOS] yum/RPM and Trust on First Use

Sat Dec 19 17:49:51 UTC 2015
Alice Wonder <alice at domblogger.net>

On 12/19/2015 02:12 AM, Gordon Messmer wrote:
> On 12/15/2015 07:05 PM, Alice Wonder wrote:
>> The first time yum installs a package, it asks to import the GPG key
>> used to sign the packages. Most people accept without validating the key.
> While that is true, it is important to note that yum will only import
> keys that are already installed on disk, in /etc/pki/rpm-gpg.  Which
> means that only keys that were *previously* installed from a trusted
> source can be added to the trust database. Initially, that set comes
> from your install media.  Assuming that you verified the sum of the
> media you used for installation, this is a reasonably secure mechanism.

With third party repositories the key and configuration file is often 
distributed separately. That's the potential attack vector for trojan keys.

> If you're going to verify the key against a DNS record for every package
> you install, forever, why have a GPG keyring at all?

Well I'm not a big fan of GPG keyrings to be honest, it is a difficult 
system for users and contains abandoned keys and compromised keys that 
aren't revoked because the owner can't revoke them if they lost their 
private key.

DNS verification solves that issue.

Sent my from my laptop, may not be able to respond timely