The PGP is not offered over a secure URL (https). While some mirrors might have an https download it isn't possible to validate whether those mirrors have a legitimate key or have been compromised.<br />
<br />
This in turn makes verifying the sha256sum.txt, sha1sum.txt md5sum.txt files more difficult.<br />
<br />
While I did find the CentOS *5* FAQ URL with a PGP key and a CA signed SSL certificate (<a href="https://wiki.centos.org/FAQ/CentOS5#head-3a83196c7a97a7990ca646cbd135fd67198fe812">https://wiki.centos.org/FAQ/CentOS5#head-3a83196c7a97a7990ca646cbd135fd67198fe812</a> [<a href="https://wiki.centos.org/FAQ/CentOS5#head-3a83196c7a97a7990ca646cbd135fd67198fe812" target="_blank">^</a>]) this says version 5 not 6. I also receive mixed content (secure and insecure) warning errors.<br />
<br />
A common (not CentOS specific) URL/directory accessible via <a href="https://pks.centos.org">https://pks.centos.org</a> [<a href="https://pks.centos.org" target="_blank">^</a>] (or whatever) with content that can be accessed via a web client would be nice. I could then verify the sha256sum.txt.asc files on any mirror website after obtaining an official "centos.org" PGP public key.
↧