public keys

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

public keys

Josserand, Jesse F (NE)

I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not want to use '--nogpgcheck' when doing so.

Where can I get the public keys?

J
Jess

p.s. Thanks in advance!

 

TekSynap - Technology Moving at the Speed of Thought

Jesse F. Josserand  |  Sr. Systems Architect/SysAdmin/DB Analyst
M: 601-590-0304  |  D: 228-469-2019  |  [hidden email]
www.TekSynap.com 
 |  1760 Reston Parkway, Suite 515, Reston VA 20190
Assigned to GDIT Project, 294 Thames Avenue, Bay St. Louis, MS 39520
[hidden email]

Connect with TekSynap on LinkedIn

 | 

Save vCard

 

 

Reply | Threaded
Open this post in threaded view
|

Re: public keys

Craig Ringer-5
On Fri, Nov 20, 2020 at 1:12 AM Josserand, Jesse F (NE) <[hidden email]> wrote:

I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not want to use '--nogpgcheck' when doing so.

Where can I get the public keys?

 

 


I don't know what you mean by a "cold" install.

The keys are packaged in the repo-rpms.

$ rpm -ql pgdg-fedora-repo
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo

They're also available from the repository itself:


The key you want is:

$ gpg --fingerprint 1F16D2E1442DF0F8
pub   dsa1024 2008-01-08 [SCA]
      68C9 E2B9 1A37 D136 FE74  D176 1F16 D2E1 442D F0F8
uid           [ unknown] PostgreSQL RPM Building Project <[hidden email]>
sub   elg2048 2008-01-08 [E]

It should probably be published prominently on yum.postgresql.org by key-id and fingerprint, so it can be verified somewhat independently of the actual download repos, but AFAICS ( https://www.google.com/search?q=site%3Ayum.postgresql.org+1F16D2E1442DF0F8 ) it is not.

so consider filing an issue for that:


I also note that nobody's signed the key to attest its validity on the keyservers. That's not necessarily required for rpms, but might be a good idea. When I get a chance to verify it with Devrim via a side channel I'll sign it and push my signature.
Reply | Threaded
Open this post in threaded view
|

RE: public keys

Josserand, Jesse F (NE)

Thank you!

 

TekSynap - Technology Moving at the Speed of Thought

Jesse F. Josserand  |  Sr. Systems Architect/SysAdmin/DB Analyst
M: 601-590-0304  |  D: 228-469-2019  |  [hidden email]
www.TekSynap.com 
 |  1760 Reston Parkway, Suite 515, Reston VA 20190
Assigned to GDIT Project, 294 Thames Avenue, Bay St. Louis, MS 39520
[hidden email]

Connect with TekSynap on LinkedIn

 | 

Save vCard

 

 

From: Craig Ringer <[hidden email]>
Sent: Thursday, November 19, 2020 8:06 PM
To: Josserand, Jesse F (NE) <[hidden email]>
Cc: [hidden email]
Subject: Re: public keys

 

 

 [External: Use caution with links & attachments]

 

On Fri, Nov 20, 2020 at 1:12 AM Josserand, Jesse F (NE) <[hidden email]> wrote:

I’m trying to do a cold yum install of postgresql 12 rpm’s, but do not want to use '--nogpgcheck' when doing so.

Where can I get the public keys?

 

 

 

I don't know what you mean by a "cold" install.

 

The keys are packaged in the repo-rpms.

 

$ rpm -ql pgdg-fedora-repo
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo

 

They're also available from the repository itself:

 

 

The key you want is:

 

$ gpg --fingerprint 1F16D2E1442DF0F8
pub   dsa1024 2008-01-08 [SCA]
      68C9 E2B9 1A37 D136 FE74  D176 1F16 D2E1 442D F0F8
uid           [ unknown] PostgreSQL RPM Building Project <[hidden email]>
sub   elg2048 2008-01-08 [E]

It should probably be published prominently on yum.postgresql.org by key-id and fingerprint, so it can be verified somewhat independently of the actual download repos, but AFAICS ( https://www.google.com/search?q=site%3Ayum.postgresql.org+1F16D2E1442DF0F8 ) it is not.

 

so consider filing an issue for that:

 

 

I also note that nobody's signed the key to attest its validity on the keyservers. That's not necessarily required for rpms, but might be a good idea. When I get a chance to verify it with Devrim via a side channel I'll sign it and push my signature.