Le mercredi 31 juillet 2019 à 16:10 -0700, Brian C. Lane a écrit :
On Wed, Jul 31, 2019 at 09:05:21PM +0200, Nicolas Mailhot via devel
wrote:
> Le mercredi 31 juillet 2019 à 12:25 -0500, Jason L Tibbitts III a
> écrit :
> > > > > > > "KF" == Kevin Fenzi <kevin(a)scrye.com>
writes:
> >
> > KF> * If you use metalinks, rpm signatures are just gravy on top,
> > in
> > the
> > KF> end you are still just trusing SSL CA's.
> >
> > Only if you trust every mirror to always serve authentic content.
>
> And, just to provide another data point, we tried this month to
> make
> the network install iso talk to https dnf repos (a reposync of
> fedora
> devel x86_64, without x86 packages, because we don't have the
> storage
> budget to mirror 32 bit packages we don't have the use for them
> anyway). The repos themselves worked fine from installed systems.
> But,
> anaconda refused to use them, till they were re-exposed in plain
> un-
> secured http.
It's odd that they would work from an installed system and not
anaconda.
Are you using a self-signed cert on them?
No, a proper public cert, that even Firefox accepts without grumbling
(not an easy thing to manage those days).
If so you can pass
inst.noverifyssl to anaconda to tell it to ignore the error but still
use https.
Thanks for the suggestion, I had forgotten about it. Is it possible to
do that manually without a kickstart? Fot that installation workflow we
start from a minimal unmodified install, and customize it in a later
stage.
Regards,
--
Nicolas Mailhot