How to verify authenticity of repo?

asked 2014-02-14 19:09:50 -0500

pagefault gravatar image

updated 2014-09-29 17:50:40 -0500

mether gravatar image

I recently started using Fedora and accidentally added an unauthenticated repo to my repolist. I didn't have the protectbase plugin at the time, so my kernel was unprotected. I removed the new repo, and I have no reason to think it was a bad repo, but after reading more about yum and repository updates, I'm now concerned about my repolist. Soon after this error, my kernel required updates. How can I verify the authenticity of the other repositories (e.g. the fedora kernel) in my repolist?

I found the list of gpg keys here: https://fedoraproject.org/keys , and I've compared the key fingerprints, but I can't determine if this has a 1-1 correspondence with my repolist. Is the gpgcheck sufficient to ensure that my repolist (and my current configuration) is not corrupted?

I searched online and found ways to check the iso before the install (which I had done), and rpms during the install process, but that doesn't help if yum installs altered the actual repo targets my repolist.

edit retag flag offensive close merge delete