[Pulp-list] Is gpgkey published by distributor?
Jiri Tyr
jiri.tyr at gmail.com
Wed Jun 8 13:25:00 UTC 2016
Of course you could use HTTPS as well which should make it secure:
gpgkey = https://mypulpserver/pulp/keys/epel.key
On Wed, Jun 8, 2016 at 2:18 PM, Jeremy Cline <jcline at redhat.com> wrote:
>
> This scenario is insecure. Serving the GPG key over HTTP leaves it
> vulnerable to a man-in-the-middle attack. You could serve it over
> HTTPS, and this is sometimes done, but I'm not sure what you gain from
> it. Accepting the GPG key from the server can only be done if you trust
> the server, but checking the signatures on the packages provided by the
> same server indicates you _don't_ trust the server.
>
> I recommend using a configuration management tool like Ansible to
> distribute the GPG key over a trusted channel if you want to serve
> content over HTTP.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/pulp-list/attachments/20160608/033980f9/attachment.htm>
More information about the Pulp-list
mailing list