Learn about Centmin Mod LEMP Stack today
Become a Member

Signed Repository Metadata is now Available for CentOS 6 and 7 for the Updates Repo

Discussion in 'CentOS, Redhat & Oracle Linux News' started by eva2000, May 7, 2015.

  1. eva2000

    eva2000 Administrator Staff Member

    28,984
    6,579
    113
    May 24, 2014
    Brisbane, Australia
    Ratings:
    +9,766
    Local Time:
    4:47 AM
    Nginx 1.13.x
    MariaDB 5.5
    The CentOS Project is now providing a signed copy of the repodata metadata file (repomd.xml.asc) for our Updates Repository for both CentOS-6 and CentOS-7. To use this feature, you would edit the file /etc/yum.repos.d/ CentOS-Base.repo and locate the [updates] section, the default looks like this:


    #released updates
    [updates]
    name=CentOS-$releasever – Updates
    mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates&infra=$infra
    #baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
    gpgcheck=1
    gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-7

    You would add in this option:


    repo_gpgcheck=1

    Currently we only have this option available on the [updates] repos for CentOS-6 and CentOS-7, but we will be rolling it out to all C6 and C7 repos in the future.

    Yum will verify that the repo in question is signed with the RPM-GPG-KEY-CentOS-7 (or RPM-GPG-KEY-CentOS-6 for CentOS-6) key .. so you can be sure these updates come directly from the CentOS Project and no one else.

    Here is a good read about GPG sign and verify RPM packages and yum repositories . It also explains why we are not rolling it into the CentOS-5 repos.

    There is also further information on this CentOS Maillist thread.

    Continue reading...