Hi.
I'm building a new repo, and concerned about security of GPG keys.
I've found out that when Yum (or RPM) imports a key, the key info about expiring date and key status is ignored.
For instance, I could import a revoked key, or an expired key - no warnings will be displayed. Packages that were signed with these keys could be validated without errors. Is it a bug, or a feature?
Q1: How can I remove/revoke a GPG public key from user's rpmdb, without user interaction? I've tried to make a package that Obsoletes package gpg-pubkey-x-y (which is imported public key), but to no avail.
In Apt, i can easily manage repo's keys by using separate keyrings, loaded in /etc/apt/trusted.gpg.d/*.gpg by adding, replacing or removing keyring files.
I've found out that similar folder should be present in RPM as well (available in macro _keyringpath) - folder %{_dbpath}/pubkeys/, which is %{_var}/lib/rpm/pubkeys/
However, this folder is not present in CentOS 6 or 7. There's only a file called Pubkeys.
Q2: Does this folder allow me to manage GPG keys like simple files, as Apt does? Should I create this folder manually on my client's PCs? I'm very uncomfortable about creating structures inside packet manager's directory.
Thanks in advance.
_______________________________________________ Rpm-list mailing list Rpm-list@xxxxxxxxxxxxx http://lists.rpm.org/mailman/listinfo/rpm-list
