Uploaded image for project: 'Docs for Red Hat Developers'
  1. Docs for Red Hat Developers
  2. RHDEVDOCS-274

Insecure instructions in CDK IG (gpgcheck)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Major Major
    • CDK 2.3
    • None
    • CDK
    • None
    • RHDEVDOCS Sprint 122, > Nov 9, RHDEVDOCS Sprint 123, > Nov 30, RHDEVDOCS Sprint 124, > Dec 21, RHDEVDOCS Sprint 125, > Jan 11, RHDEVDOCS Sprint 126, > Feb 01
    • 3

      Section "5.2.1.1. Registering a Red Hat Enterprise Linux System and Enabling Repositories" notes that to install Vagrant, you must use a CentOS repo over an insecure protocol (HTTP) and on top of that disable GPG check:

      https://access.redhat.com/documentation/en/red-hat-container-development-kit/2.2/paged/installation-guide/chapter-5-installing-container-development-kit-on-red-hat-enterprise-linux#registering_a_red_hat_enterprise_linux_system_and_enabling_repositories

      This is strange since the packages are definitely signed:

      $ rpm -qpi http://mirror.centos.org/centos-7/7/sclo/x86_64/sclo/vagrant1/sclo-vagrant1-vagrant-1.8.1-7.el7.noarch.rpm 2> /dev/null |grep -i Signature
      Signature : RSA/SHA1, Wed 24 Aug 2016 03:40:26 PM CEST, Key ID 4eb84e71f2ee9d55

      Can the docs be corrected please to remove the step to disable 'gpgcheck'? Also, maybe it's worth researching if there is a way to get the package over HTTPS.

      ------------------

      https://bugzilla.redhat.com/show_bug.cgi?id=1391414

              rkratky@redhat.com Robert Krátký (Inactive)
              rkratky@redhat.com Robert Krátký (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Created:
                Updated:
                Resolved: