Hello dear maintainers, please update SSL fingerprint for download repos in RockyLinux:8 and RockyLinux:9. The certificate seems to have been rotated again. Also, is it really true that the repo is not signed? Is the key here not usable? https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-8 and -9 Thanks! Georg -- Jülich Centre for Neutron Science JCNS at Heinz Maier-Leibnitz Zentrum MLZ Forschungszentrum Jülich GmbH Lichtenbergstraße 1 85747 Garching GERMANY Telefon: +49 - 89 158860 731 Telefax: +49 - 89 158860 799 --------------------------------------------------------------------------------------------- Forschungszentrum Jülich GmbH 52425 Jülich Sitz der Gesellschaft: Jülich Eingetragen im Handelsregister des Amtsgerichts Düren Nr. HR B 3498 Vorsitzender des Aufsichtsrats: MinDir Stefan Müller Geschäftsführung: Prof. Dr. Astrid Lambrecht (Vorsitzende), Karsten Beneke (stellv. Vorsitzender), Dr. Ir. Pieter Jansens ---------------------------------------------------------------------------------------------
Hi Georg,
Am Mi., 6. Dez. 2023 um 14:14 Uhr schrieb Georg Brandl
please update SSL fingerprint for download repos in RockyLinux:8 and RockyLinux:9. The certificate seems to have been rotated again.
Also, is it really true that the repo is not signed? Is the key here not usable?
https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-8 and -9
Thanks for reporting that. I forwarded it to the admin team and they just reported this as fixed now. Do you see the same? TIA, Dirk
On Wed, Dec 6, 2023 at 8:14 AM Georg Brandl
Hello dear maintainers,
please update SSL fingerprint for download repos in RockyLinux:8 and RockyLinux:9. The certificate seems to have been rotated again.
Also, is it really true that the repo is not signed? Is the key here not usable?
https://download.rockylinux.org/pub/rocky/RPM-GPG-KEY-Rocky-8 and -9
It is rare in the Red Hat ecosystem to see repository metadata signing. Fedora doesn't have it because their security folks believe the authentication chain from TLS to metalink to repository metadata contains enough cryptographically secure checksums in the process to not warrant the extra hassle. CentOS has it because I pushed for it years ago when they didn't have a similar mirror management setup to Fedora, and it was retained after the transition to Fedora-style mirrors. COPR does not do repository metadata signing yet either[1], though this may change once they move to Pulp[2] for repository storage and management[3]. [1]: https://github.com/fedora-copr/copr/issues/2644 [2]: https://pulpproject.org/ [3]: https://github.com/fedora-copr/copr/issues/2533 -- 真実はいつも一つ!/ Always, there's only one truth!
participants (3)
-
Dirk Müller
-
Georg Brandl
-
Neal Gompa