bazeldnf icon indicating copy to clipboard operation
bazeldnf copied to clipboard

Published 20 hours ago verified publisher icon rmohr

Repo Certificate Authority field for private repos

Open stefanha opened this issue 1 year ago • 2 comments

Public repos pass certificate verification using the system's trusted root certificates. Private repos may require a Certificate Authority that is not in the system's trusted root certificates.

Although some users may be able to add CAs system-wide, it is easiest and cleanest to allow setting CAs on a per-repo basis. This way no change system-wide change is necessary in order to use private repos with custom CAs.

The repo.yaml syntax can be extended with a CA string field so users can provide the CA together with the repository information.

@andreabolognani

stefanha avatar Feb 27 '24 18:02 stefanha

If I understand this correctly, we would basically allow setting a CA field in repo.yaml, and then create a custom https client which will only talk to a repo serving a cert form there. Correct?

rmohr avatar Jul 11 '24 23:07 rmohr

Yes, the HTTPS client would use the repo.yaml's CA for certificate verification. I'm not sure whether the client should exclusively use the CA or the CA is used in addition to the system-wide trusted root certificates.

This way, a private repo that is available via HTTPS with an internal CA will work.

stefanha avatar Jul 12 '24 12:07 stefanha