[Pulp-list] Is gpgkey published by distributor?
Jeremy Cline
jcline at redhat.com
Wed Jun 8 13:18:04 UTC 2016
On 06/08/2016 08:50 AM, Jiri Tyr wrote:
> Hello,
>
> I have a repo which was created with the the --gpgkey option.
>
> Is there a way how to publish the key via HTTP in order I can point to it
> from the YUM repo file using the "gpgkey" property?
Hi Jiri,
I do not believe this is currently possible using Pulp. The GPG key
appears to only be used by the "consumers" feature of Pulp.
>
> Example:
>
> $ cat /etc/yum.repos.d/epel.repo
> [epel]
> baseurl = http://mypulpserver/pulp/repos/epel/6/$basearch/
> gpgcheck = 1
> gpgkey = http://mypulpserver/pulp/path/to/the/epel.key
> name = EPEL YUM repo
This scenario is insecure. Serving the GPG key over HTTP leaves it
vulnerable to a man-in-the-middle attack. You could serve it over
HTTPS, and this is sometimes done, but I'm not sure what you gain from
it. Accepting the GPG key from the server can only be done if you trust
the server, but checking the signatures on the packages provided by the
same server indicates you _don't_ trust the server.
I recommend using a configuration management tool like Ansible to
distribute the GPG key over a trusted channel if you want to serve
content over HTTP.
--
Jeremy Cline
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160608/56faa72d/attachment.sig>
More information about the Pulp-list
mailing list