On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote:> > I just installed the latest Centos and Yum keeps reporting that the > > correct GPG key are not installed. How do I install them?rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3> It's a common question. We need to do a better job of making the solution > known.now present at: http://caosity.org/index.php?option=faq&task=viewfaq&artid=24&Itemid=5 -- Russ Herrold
Tom DE BLENDE (GCC)
2004-Apr-27 07:23 UTC
[Centos] Re: [cAos] CentOS GPG key import process
R P Herrold wrote:>On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote: > > >>It's a common question. We need to do a better job of making the solution >>known. >> >>I am new to CentOS and must say that I am very happy with it! This being said: I did have the same problem, and some Googling showed me the way.>now present at: > http://caosity.org/index.php?option=faq&task=viewfaq&artid=24&Itemid=5 > >Well maintained FAQ's are vital to keep the same questions from reappearing on the list time and time again. I can speak from the experience I have built up by my (very modest) contributions to Nagios (http://www.nagios.org) and it's mailing lists. Ethan -lead developer- of Nagios has created a FAQ system that allows users to send in FAQ's (together with the answer). It is moderated, so they only appear on the FAQ listings when he has reveiwed them. It has a search function as well (something which is lacking on the CentOS FAQ's IIRC). Another good thing would be a search function for the mailing list archives. I have looked for one, but haven't found it so far. I hope my remarks are not being seen as bad criticism, but as constructive ;-) Keep up the good work with CentOS! Kind regards, Tom
On Mon, 26 Apr 2004, R P Herrold wrote:> On Mon, 26 Apr 2004, Jacob Robert Wilkins wrote: > > > > I just installed the latest Centos and Yum keeps reporting that the > > > correct GPG key are not installed. How do I install them? > > rpm --import http://mirror.centos.org/centos/3.1/i386/RPM-GPG-KEY-CentOS-3 > > > It's a common question. We need to do a better job of making the solution > > known.I think the key should be installed automatically as part of the install process - but dont know how / why it isnt ... Lance -- uklinux.net - The ISP of choice for the discerning Linux user.
On Tue, 27 Apr 2004, Lance Davis wrote:> I think the key should be installed automatically as part of the install > process - but dont know how / why it isnt ...Two schools of thought there -- When doing a local RO media install, one assumedly trusts the media to not have been tampered with, and it should be added [the use of the media is a manual act of trust]; when doing a wire install, unless there is an prior affirmative act on the chain of trust [manual installation of the key from a trusted source], it is probably reasonable to not do (rpm as a matter of strict policy runs without user intervention). Once an initial trusted key is installed, supplemental keys may be managed under the rpm packaging mechanism (an approach with %pre/%post script management comes to mind). This is because the later keying packages would be oversigned with a key properly on the keychain. Expirations and revocations can then also be handled more cleanly. (This is the relaxed school) Othres feel: By rights, really, rpm should not receive an import of a key without a mechanism for preventing a hostile insertion -- such as a passphrase -- but the counter argument is that as only 'root' has RW access on the relevant file, if the attacker already has root rights, they could sniff the needed passphrase to do so. The contrary school is the GPG passphrase school, which adds the supplemental protection anyway. (This is the tin foil hat school.) -- Russ Herrold