Best way to distribute GPG keys for Yum repo?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi all.
 
I'm creating a new repo, and I want to make *-release package for users to simplify the installation. Such initial packages are provided by EPEL, Zabbix, and many more.
These packages are doing two things: adding .repo conf to yum.repos.d, and adding a GPG key to /etc/pki/; I want to sign my packages using GPG, so here starts the interesting part.
 
Since all packages are signed, I need the valid private key to update them. If the key will be stolen or lost, there would be no way for me to update the initial package, and therefore, import the new PGP key to user's OS.
I could issue a new key and re-sign all RPMs in repo with it, but it will cause an ugly error when the user will try to update. Also, it's not good for unattended updates.
 
As the more trustworthy solution, I consider using a separate subkey for signing packages. The 'root' GPG key is stored offsite and used only to issue new subkeys, extend validity of existing subkeys, or revoke compromised ones. There's no risk of losing it.
However, yum does not accepts subkeys, as far as I understand.
 
So, what's the best way do tistribute these keys in the most no-user-interaction way?
 
Thank you.
_______________________________________________
Yum mailing list
Yum@xxxxxxxxxxxxxxxxx
http://lists.baseurl.org/mailman/listinfo/yum

[Index of Archives]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux