On 06/08/2016 08:50 AM, Jiri Tyr wrote: > Hello, > > I have a repo which was created with the the --gpgkey option. > > Is there a way how to publish the key via HTTP in order I can point to it > from the YUM repo file using the "gpgkey" property?
Hi Jiri, I do not believe this is currently possible using Pulp. The GPG key appears to only be used by the "consumers" feature of Pulp. > > Example: > > $ cat /etc/yum.repos.d/epel.repo > [epel] > baseurl = http://mypulpserver/pulp/repos/epel/6/$basearch/ > gpgcheck = 1 > gpgkey = http://mypulpserver/pulp/path/to/the/epel.key > name = EPEL YUM repo This scenario is insecure. Serving the GPG key over HTTP leaves it vulnerable to a man-in-the-middle attack. You could serve it over HTTPS, and this is sometimes done, but I'm not sure what you gain from it. Accepting the GPG key from the server can only be done if you trust the server, but checking the signatures on the packages provided by the same server indicates you _don't_ trust the server. I recommend using a configuration management tool like Ansible to distribute the GPG key over a trusted channel if you want to serve content over HTTP. -- Jeremy Cline
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Pulp-list mailing list [email protected] https://www.redhat.com/mailman/listinfo/pulp-list
