Hi, I read http://www.stigviewer.com/check/RHEL-06-000008 The CentOS keys live in /etc/pki/rpm-gpg and when I run yum the first time I am asked if I want to accept the key. Alternatively I could import them manually with something like 'rpm --import /etc/pki/rpm-gpg/$key, maybe in the %post of a kickstart. I am wondering why this import is not happening automatically at install time. There must be good reasons for that? -- Markus
> I am wondering why this import is not happening automatically at install > time. There must be good reasons for that? > >Anaconda doesn't actually carry out gpg checks... I think it had that added during the fedora 18/19 rewrite so EL7 might cover that but certain EL5 and EL6 won't have that ... Since it doesn't do gpg checks I guess the rpm keys are never added as a result - as you say %post would resolve that ... To maintain my systems I use Spacewalk and the kickstarts that are generated as part of that include importing of GPG keys listed in the spacewalk configuration...
On 06/13/2013 11:18 AM, Markus Falb wrote:> I am wondering why this import is not happening automatically at install time. There must be good reasons for that?it boils down to how much trust you have in the install media. One school of thought is compromised media is going to be game over in many ways, other than just keys. While others consider keys to be yet-another barrier. Keys are also published at the CentOS Mirrors, and the installer iso sum's published in the release notes. Both of these resources should be spread enough that using multiple sources, should help increase confidence levels. - KB -- Karanbir Singh +44-207-0999389 | http://www.karan.org/ | twitter.com/kbsingh GnuPG Key : http://www.karan.org/publickey.asc