[prev in list] [next in list] [prev in thread] [next in thread] 

List:       opensuse-buildservice
Subject:    Re: Signing/SSL fingerprint for RockyLinux
From:       Neal Gompa <ngompa13 () gmail ! com>
Date:       2023-12-15 12:22:41
Message-ID: CAEg-Je8ZTPLbw8y9SOnc9vZiyEoYCtqJ4EruRaMiJc8GW6dOxA () mail ! gmail ! com
[Download RAW message or body]

On Wed, Dec 6, 2023 at 8:14 AM Georg Brandl <g.brandl@fz-juelich.de> wrote:
>
> Hello dear maintainers,
>
> please update SSL fingerprint for download repos in RockyLinux:8 and
> RockyLinux:9. The certificate seems to have been rotated again.
>
> Also, is it really true that the repo is not signed? Is the key
> here not usable?
>
> https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-8 and -9
>

It is rare in the Red Hat ecosystem to see repository metadata
signing. Fedora doesn't have it because their security folks believe
the authentication chain from TLS to metalink to repository metadata
contains enough cryptographically secure checksums in the process to
not warrant the extra hassle. CentOS has it because I pushed for it
years ago when they didn't have a similar mirror management setup to
Fedora, and it was retained after the transition to Fedora-style
mirrors. COPR does not do repository metadata signing yet either[1],
though this may change once they move to Pulp[2] for repository
storage and management[3].

[1]: https://github.com/fedora-copr/copr/issues/2644
[2]: https://pulpproject.org/
[3]: https://github.com/fedora-copr/copr/issues/2533




--
真実はいつも一つ！/ Always, there's only one truth!
[prev in list] [next in list] [prev in thread] [next in thread]