Of course you could use HTTPS as well which should make it secure: gpgkey = https://mypulpserver/pulp/keys/epel.key
On Wed, Jun 8, 2016 at 2:18 PM, Jeremy Cline <jcl...@redhat.com> wrote: > > This scenario is insecure. Serving the GPG key over HTTP leaves it > vulnerable to a man-in-the-middle attack. You could serve it over > HTTPS, and this is sometimes done, but I'm not sure what you gain from > it. Accepting the GPG key from the server can only be done if you trust > the server, but checking the signatures on the packages provided by the > same server indicates you _don't_ trust the server. > > I recommend using a configuration management tool like Ansible to > distribute the GPG key over a trusted channel if you want to serve > content over HTTP.
_______________________________________________ Pulp-list mailing list Pulp-list@redhat.com https://www.redhat.com/mailman/listinfo/pulp-list
