Metadata signing for rawhide
Dennis Gilmore
dennis at ausil.us
Thu Aug 6 12:46:18 UTC 2015
On Thursday, August 06, 2015 08:27:44 AM Neal Gompa wrote:
> In the rpm-ecosystem mailing list, Michael Schroeder from SUSE brought up
> that we don't sign the metadata for the rawhide repository
> <http://lists.rpm.org/pipermail/rpm-ecosystem/Week-of-Mon-20150803/000193.ht
> ml> and it would be nice if it was signed so that he could be sure that the
> mirrors didn't "do funny things".
>
> Is there a reason we don't sign the rawhide repodata? Forgive me for my
> ignorance, but do we sign repository metadata at all, and if so, how do we
> do it I'd like to do that for my own repos too.
we do not sign any repodata because it is a a manual step at the end of long
running manual processes or at the end of long running fully automated
processes. The way that mirrormanager handles metalinks mitigates the need to
sign the metadata. you get the md5, sha1, sha256 and sha512 sums and
timestamps of the repomd.xml from mirrormanager that is verifiable through
https, assuming you trust fedora infrastructure. repomd.xml is the file that
tells you the checksums and data for the other files in the repodata. you can
then use the repomd.xml file to verify that none of the other metadata has
been tampered with. yum and dnf will ignore any mirrors that return invalid
data.
Dennis
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part.
URL: <http://lists.fedoraproject.org/pipermail/devel/attachments/20150806/9e384dc0/attachment.sig>
More information about the devel
mailing list