Hi Ondrej,
[I felt it is better to discuss this via email if you feel otherwise feel free to move the discussion back to trac.]
even though it was also me requesting the use of HTTPS for the repos [1] - and I'm glad it has been (partially) accepted and implemented I do not follow your comment that HTTPS is "better" than repo_gpgcheck [2].
It is my opinion that even in the case of HTTPS GPG signatures provide a security improvement since (I hope) the private GPG key used to sign the repo is less exposed than the wildcard certificate for *.tpo.
(I filed #13553 [4] to address rogue CAs / certificate pinning for yum.)
Could you elaborate on your issue regarding repo_gpgcheck not showing fingerprints? (It does show the gpg key fingerprint on a fc20 system after adding repo_gpgcheck=1 and running 'yum update' [3]).
thanks for providing and maintaining the RPM repo, Nusenu
[1] https://trac.torproject.org/projects/tor/ticket/12897
[2] https://trac.torproject.org/projects/tor/ticket/12871#comment:8
[3] Importing GPG key 0x5AC001F1: Userid : "torproject.org RPM signing key" Fingerprint: 3b9e eeb9 7b1e 827b cf0a 0d96 8af5 653c 5ac0 01f1 From : https://deb.torproject.org/torproject.org/rpm/RPM-GPG-KEY-torproject.org.asc Is this ok [y/N]:
On 10/24/2014 12:37 AM, Nusenu wrote:
[I felt it is better to discuss this via email if you feel otherwise feel free to move the discussion back to trac.]
Please continue in the trac ticket, it's much easier to have it in once place (https://trac.torproject.org/projects/tor/ticket/12871#comment:9).
Ondrej