-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
It's logistically difficult to sign the repodata... but of course it could be done.
Has someone tried to get this done/accepted before?
Is there any kind of certificate pinning in place when verifying the certificate of https://mirrors.fedoraproject.org or can the certificate be from any trusted CA?
I'm not sure. Yum (and dnf) uses python-urlgrabber, which uses urlgrabber, which uses curl. So, it would depend on the default curl config.
So we could take advantage of the environment variable named 'CURL_CA_BUNDLE' to feed it with the issuing CA of https://mirrors.fedoraproject.org 's certificate.
Has fedora a policy where it gets its certificates from? Is it always DigiCert?
Until curl gets DANE support we could use 'CURL_CA_BUNDLE' as a poor men's CA pinning?
http://curl.haxx.se/docs/todo.html#Support_DANE