Re: public keys - Mailing list pgsql-pkg-yum

I don't know what you mean by a "cold" install.

The keys are packaged in the repo-rpms.

$ rpm -ql pgdg-fedora-repo
/etc/pki/rpm-gpg
/etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
/etc/yum.repos.d/pgdg-fedora-all.repo

They're also available from the repository itself:

The key you want is:

$ gpg --fingerprint 1F16D2E1442DF0F8
pub   dsa1024 2008-01-08 [SCA]
      68C9 E2B9 1A37 D136 FE74  D176 1F16 D2E1 442D F0F8
uid           [ unknown] PostgreSQL RPM Building Project <pgsqlrpms-hackers@pgfoundry.org>
sub   elg2048 2008-01-08 [E]

It should probably be published prominently on yum.postgresql.org by key-id and fingerprint, so it can be verified somewhat independently of the actual download repos, but AFAICS ( https://www.google.com/search?q=site%3Ayum.postgresql.org+1F16D2E1442DF0F8 ) it is not.

so consider filing an issue for that:

I also note that nobody's signed the key to attest its validity on the keyservers. That's not necessarily required for rpms, but might be a good idea. When I get a chance to verify it with Devrim via a side channel I'll sign it and push my signature.