noninteractive gpg #43
Comments
cgwalters
added a commit
to cgwalters/sig-atomic-buildscripts
that referenced
this issue
Apr 15, 2015
…seful I'd expect at least CentOS to have `https://` (i.e. TLS protected) versions of the keys available. However if we do that it triggers other bugs in libhif (which we'll fix), but for now let's just do this. See rpm-software-management/libdnf#43
|
Worth noting the way mock handles this now is: https://lists.fedoraproject.org/pipermail/devel/2015-October/215841.html |
|
The |
|
Err, for |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
RPM and GPG. Always a fun topic!
For the case of upgrading inside an existing system, e.g. you're doing
yum updateinside a Fedora system withfedora-releaseinstalled which references the GPG key byfile:///URIs that were already retrieved in a trusted way (ideally), things are fine.Where things start to break down is when one is operating on a root outside of the running system, which happens with things like installers (Anaconda) and containers (rpm-ostree container).
Notes
http(s)://URLyumwill auto-download and then either prompt, or auto-import if-yis provided (and it's very common to use-yin deployment scripts,Dockerfiles, etc.)Also specifically, I think using
yum -ywithgpgkey=http://blah.com/is completely broken - anyone on the internets can MITM the key and the packages.libhif noninteractivity vs GPG
Now libhif has a policy of noninteractivity (AFAICS). Which...flips around some of the tradeoffs. We actually currently don't even import
gpgkeyURL references at all ifgpgcheck=1butgpgcheck_md=0(which is the default for Fedora/CentOS at least).Fixes
Add a new
gpg_fingerprintto repository files. That way we can auto-download them even over un-authenticated http without (too much) fear (doing HTTP as root still sucks).For the use case of constructing fresh install roots, I would like to support retrieving keys from locations relative to the .repo file. Something like:
gpgkey=file://./RPM-GPG-KEY-CentOS-7Make more well defined which keyring is used for installroots (do we use the real
/etc/rpm/pki-gpgeven if doing an installroot?)The text was updated successfully, but these errors were encountered: