Re: Old release keys (was Re: tip: upgrade to 32)
On 2020-04-21 21:38, Ed Greshko wrote: On 2020-04-22 11:46, ToddAndMargo via users wrote: Would it hurt anything to remove the old ones? Hurt? No. Cause you an inconvenience at a later date? Maybe. Example. Let's say you want to install some SW from an earlier release of Fedora that was dropped. So, you go back and find an rpm and luckily it doesn't have a dependency issue. But the rpm came from F29 and you've removed the public keys for F29. So, it won't install without using the --nogpgcheck flag. Makes sense now. Thank you! ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Old release keys (was Re: tip: upgrade to 32)
On 2020-04-22 11:46, ToddAndMargo via users wrote: > Would it hurt anything to remove the old ones? Hurt? No. Cause you an inconvenience at a later date? Maybe. Example. Let's say you want to install some SW from an earlier release of Fedora that was dropped. So, you go back and find an rpm and luckily it doesn't have a dependency issue. But the rpm came from F29 and you've removed the public keys for F29. So, it won't install without using the --nogpgcheck flag. -- The key to getting good answers is to ask good questions. ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Re: Old release keys (was Re: tip: upgrade to 32)
On 2020-04-21 20:19, Sam Varshavchik wrote: ToddAndMargo via users writes: Hi Ed, Ooops. Forgot to reinstall the key. :'( And now everything works right. Thank you for sticking this through! You are awesome! To answer your other questions: the GPG keys for older Fedora releases are harmless. But I have believed, for quite some time, that they are a low risk security hole. A signing PGP key was compromised at least once, many years ago, forcing the whole release to get re-signed. If one of the older releases' PGP keys gets compromised, things might get a bit dicey, if a few more dominoes can get felled, in the right direction. Say someone swipes F29's PGP key, right now. Hoo boy. A lot of systems will probably trust anything signed by that key. I always thought that (these days) dnf system-upgrade should, at some point, delete the old release's pgp key. I dimly recall seeing something in Bugzilla about it. Every few releases I sift through my RPM databases, and manually delete old release keys. Why are pgp keys in the rpm database anyway? That seems like a bunch of extra work. /etc/yum.repos.d already contains: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch So, why isn't that enough? This should be sufficient to verify signatures on download packages. Why do they have to get imported somewhere in the rpm database, as a fake package, in order to be useful? Would it hurt anything to remove the old ones? ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
Old release keys (was Re: tip: upgrade to 32)
ToddAndMargo via users writes: Hi Ed, Ooops. Forgot to reinstall the key. :'( And now everything works right. Thank you for sticking this through! You are awesome! To answer your other questions: the GPG keys for older Fedora releases are harmless. But I have believed, for quite some time, that they are a low risk security hole. A signing PGP key was compromised at least once, many years ago, forcing the whole release to get re-signed. If one of the older releases' PGP keys gets compromised, things might get a bit dicey, if a few more dominoes can get felled, in the right direction. Say someone swipes F29's PGP key, right now. Hoo boy. A lot of systems will probably trust anything signed by that key. I always thought that (these days) dnf system-upgrade should, at some point, delete the old release's pgp key. I dimly recall seeing something in Bugzilla about it. Every few releases I sift through my RPM databases, and manually delete old release keys. Why are pgp keys in the rpm database anyway? That seems like a bunch of extra work. /etc/yum.repos.d already contains: gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearch So, why isn't that enough? This should be sufficient to verify signatures on download packages. Why do they have to get imported somewhere in the rpm database, as a fake package, in order to be useful? pgpytOw3wccm6.pgp Description: PGP signature ___ users mailing list -- users@lists.fedoraproject.org To unsubscribe send an email to users-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@lists.fedoraproject.org
