[tor-dev] repo: TLS vs. GPG signed files (#12871)

Nusenu BM-2D8wMEVgGVY76je1WXNPfo8SrpZt5yGHES at bitmessage.ch
Thu Oct 23 22:37:16 UTC 2014

Hi Ondrej,

[I felt it is better to discuss this via email if you feel otherwise
feel free to move the discussion back to trac.]

even though it was also me requesting the use of HTTPS for the repos [1]
- and I'm glad it has been (partially) accepted and implemented I do not
follow your comment that HTTPS is "better" than repo_gpgcheck [2].

It is my opinion that even in the case of HTTPS GPG signatures provide a
security improvement since (I hope) the private GPG key used to sign the
repo is less exposed than the wildcard certificate for *.tpo.

(I filed #13553 [4] to address rogue CAs / certificate pinning for yum.)

Could you elaborate on your issue regarding repo_gpgcheck not showing
fingerprints? (It does show the gpg key fingerprint on a fc20 system
after adding repo_gpgcheck=1 and running 'yum update' [3]).

thanks for providing and maintaining the RPM repo,

[1] https://trac.torproject.org/projects/tor/ticket/12897

[2] https://trac.torproject.org/projects/tor/ticket/12871#comment:8

Importing GPG key 0x5AC001F1:
 Userid     : "torproject.org RPM signing key"
 Fingerprint: 3b9e eeb9 7b1e 827b cf0a 0d96 8af5 653c 5ac0 01f1
 From       :
Is this ok [y/N]:

[4] https://trac.torproject.org/projects/tor/ticket/13553

More information about the tor-dev mailing list