On Apr 5, 2021, at 8:32 AM, Johnny Hughes <johnny at centos.org> wrote: > > wrt private keys .. we don't want any to live on machines we > don't physically own. Yeah, I get that. What I don’t get is why, if DNF goes to http://foo.centos.org to pull metadata, and it tells DNF to go to https://bar.qux.example.edu to download the packages specified by that metadata, why must there be any private keys for *.centos.org involved on example.edu’s servers? Surely the sysadmin of bar.qux.example.edu obtains a TLS key pair from some trusted CA that certifies that bar.qux.example.edu is valid according to the worldwide TLS public PKI. If we’re talking about package signing keys, surely that all happens on centos.org servers, and the resulting RPM packages are distributed as-is, not re-signed on each mirror server.