On 12/19/2015 02:12 AM, Gordon Messmer wrote:
On 12/15/2015 07:05 PM, Alice Wonder wrote:
The first time yum installs a package, it asks to import the GPG key
used to sign the packages. Most people accept without validating the key.
While that is true, it is important to note that yum will only import
keys that are already installed on disk, in /etc/pki/rpm-gpg. Which
means that only keys that were *previously* installed from a trusted
source can be added to the trust database. Initially, that set comes
from your install media. Assuming that you verified the sum of the
media you used for installation, this is a reasonably secure mechanism.
With third party repositories the key and configuration file is often
distributed separately. That's the potential attack vector for trojan keys.
If you're going to verify the key against a DNS record for every package
you install, forever, why have a GPG keyring at all?
Well I'm not a big fan of GPG keyrings to be honest, it is a difficult
system for users and contains abandoned keys and compromised keys that
aren't revoked because the owner can't revoke them if they lost their
private key.
DNS verification solves that issue.
--
-=-
Sent my from my laptop, may not be able to respond timely
_______________________________________________
CentOS mailing list
CentOS@centos.org
https://lists.centos.org/mailman/listinfo/centos
