Bug 1599915

Summary: RFE: cert pinning
Product: [Fedora] Fedora Reporter: Kevin Fenzi <kevin>
Component: librepoAssignee: rpm-software-management
Status: NEW --- QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: mblaha, tmlcoch
Target Milestone: ---Keywords: Triaged
Target Release: ---Flags: jmracek: needinfo? (kevin)
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Kevin Fenzi 2018-07-10 22:45:06 UTC
In https://pagure.io/fedora-infrastructure/issue/5372 we talk about cert pinning for atomic host content. 

Is this something that might be possible to implement here as well? 

basically we would hard code into the package information about all the cert(s) that fedoraproject.org would use so it could validate that there was no MITM or other issues happening.

Comment 1 Jaroslav Mracek 2023-08-23 06:35:05 UTC
For which purpose you would like to use these certificates? I am asking because I am not sure whether such an approach is optimal for dnf because availability of certificates after rpm install means that they are not available during the transaction for any verification.