ToddAndMargo via users writes:
Hi Ed, Ooops. Forgot to reinstall the key. :'( And now everything works right. Thank you for sticking this through! You are awesome!
To answer your other questions: the GPG keys for older Fedora releases are harmless.
But I have believed, for quite some time, that they are a low risk security hole. A signing PGP key was compromised at least once, many years ago, forcing the whole release to get re-signed.
If one of the older releases' PGP keys gets compromised, things might get a bit dicey, if a few more dominoes can get felled, in the right direction. Say someone swipes F29's PGP key, right now. Hoo boy. A lot of systems will probably trust anything signed by that key.
I always thought that (these days) dnf system-upgrade should, at some point, delete the old release's pgp key. I dimly recall seeing something in Bugzilla about it. Every few releases I sift through my RPM databases, and manually delete old release keys.
Why are pgp keys in the rpm database anyway? That seems like a bunch of extra work. /etc/yum.repos.d already contains:
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-$releasever-$basearchSo, why isn't that enough? This should be sufficient to verify signatures on download packages. Why do they have to get imported somewhere in the rpm database, as a fake package, in order to be useful?
Attachment:
pgptFSOpPSQwF.pgp
Description: PGP signature
_______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx
