Re: PostgreSQL insecure install via yum (multiple problems)

[Landon Hurley <ljrhurley () gmail com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Kurt Seifried <kseifried () redhat com> wrote:
> Problem:
>
> So I wanted to install PostgreSQL 9.2 to test something. So I google
> "postgresql 9.2 rpm" and get sent to:
>
> http://yum.postgresql.org/repopackages.php
>
> which is not available by HTTPS at all. Not ideal but ok, I download
> it over HTTP because I can check the signature on the file right?
>
> Wrong, I can't find the key anywhere. I try pgp.mit.edu, I even google
> site:postgresql.org 442df0f8 and all you get are archived emails with
> the warning that the signature can't be checked. No copy of the key.

Kurt,
pgp.mit.edu is deprecated. I recommend searching 0x442df0f8 on
 pool.sks-keyservers.net which does return a key.

landon



> Solution:
>
> Can PostgreSQL please setup HTTPS immediately for this site, and also
> publish the GPG key used to sign their RPMs in a secure manner (e.g.
> on the HTTPS site)?
>
> To replicate:
>
> $ wget
> https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm
>
> Fails.
>
> $ wget
> https://yum.postgresql.org/9.2/redhat/rhel-6-x86_64/pgdg-centos92-9.2-6.noarch.rpm
>
> Gets the file but:
>
> $ rpm -K pgdg-centos92-9.2-6.noarch.rpm
> pgdg-centos92-9.2-6.noarch.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK
> (MISSING KEYS: GPG#442df0f8)
>
> Signing RPM's isn't very useful if you never make the signing key
> available!
>
>
> --
> Kurt Seifried Red Hat Security Response Team (SRT)
> PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993


- --
Violence is the last refuge of the incompetent.
-----BEGIN PGP SIGNATURE-----
Version: APG v1.0.8

iQJBBAEBCgArBQJSEsCHJBxMYW5kb24gSHVybGV5IDxsanJodXJsZXlAZ21haWwu
Y29tPgAKCRA3qYf9H1SVrNiiEACZzVMdYrf6LoDKOTaKENvHtJOXYIHzG5QLH+C0
/uwyC/TES3RdbW5zMyvMT1Nh+zz9w2jSgYIu/BSgFzXt3+GXhySi/s/rftf1+fr5
K/38OyteKkgbvKJBbvmljTaEoL8rpflXrlR8nL9ozUcv7hLO6If9sQFD+3f5Klfd
6jx3k0F5g2SLmQLO00o6tC4ro9PhJlU7g05ji75bHQA9S3hwYx8fM75OZN/4hC4U
fRXHOLLbPfDOOIdM0McHRiMhayMYskoVU7UhV229zZlCf+rD3odcr/eu46wGE/cF
RmMScyEV3IFuPJAUl4F+ph/j2eKPJ92t73ZtqTbXeIaYL/5AGbbAb8q6BQSoO7oL
BNftzSdEoisjy9xCCUdrnnih2roNUxVwCzpCyrSRbxbnaagA8+UPOGyvk96jA+Ky
jAYfgefmIHZ374iaMLhE6KdzqzIcxtZkA3xbjiCgzwJioHbSB0aImsZjaf60G5KX
TOPwUWc8qFfShhBl0UanTispdMZtdgxEvs+FRluDypQevU0DnFFnu4ZCD7kXEuCO
cWkORMQt3Av5Nyc7QWi5nhpG6P1d1a9CUGsag9xIGQjbsCaqg4k2X26Uy2M5DPb4
xfm2jwTvkSd/3fw4eB4hBiqnkWVtKUKUNqIgSa+9uG5fjRy0vdjNLMH2OdHuT5p3
DgyjGQ==
=K8qK
-----END PGP SIGNATURE-----