[fedora-virt] GPG signatures for Rawhide virt repo

Ján ONDREJ (SAL) ondrejj at salstar.sk
Fri Jun 5 14:18:21 UTC 2009

On Fri, Jun 05, 2009 at 02:40:04PM +0100, Mark McLoughlin wrote:
> Hi Ján,
> On Fri, 2009-06-05 at 13:21 +0200, Ján ONDREJ (SAL) wrote:
> > Hello,
> > 
> >   Mark, can you please add signatures to vire-preview packages? Installation
> > of totally unsigned packages on my machine is not a good idea, because I
> > don't know, if they was changed by an attacker on internet.
> I've added this to the TODO list[1], but I don't think it takes priority
> over the other items on the list since the repository is a subset of
> rawhide and rawhide is usually unsigned.
> If we do this, though, we should implement this in a relatively secure
> manner so as to not merely give the illusion of security e.g.
>  1) The key should be password protected and kept somewhere safe; I
>     don't see why people should have confidence in packages signed with
>     a password-less key stored on my laptop

Password-less key is better like nothing.
Now there is no safe way, how to download your packages, because
fedorapeople.org does not suport https and packages are not signed.

Can you at least request https for repo URL?

>  2) Key distribution - putting the public key in a text file in the repo
>     doesn't help; if the repo can be compromised, so can that text file
>     - perhaps we could include the key in an F-11 RPM?

I think you can use gpgkey=http://.../... in vedora-virt-preview.repo.
User can confirm import of this key first time, later this key will be used.
This way user only need to check key once.


More information about the Fedora-virt mailing list