The following bug has been logged on the website:
Bug reference: 16406
Logged by: Dan Ell
Email address: dll@sonic.net
PostgreSQL version: 11.0
Operating system: centos7
Description:
I’m looking for their public key from an authoritative source, and I can’t
find it.
I’m doing due diligence while updating postgresql client software on
centos7, and the signers of the package are listed as “PostgreSQL RPM
Building Project pgsqlrpms-hackers@pgfoundry.org”, so I check around for
them. I find lots of credible references to them, in the right places,
including this page at postgresql.org:
https://yum.postgresql.org/packages.php, and even fossil pages that
accidentally contain the fingerprint of their public key.
.. but when I hit pgfoundry.org it’s all pictures of hardbodies and gym
equipment.
I've seen the FAQ about pgfoundry:
https://wiki.postgresql.org/wiki/Pgfoundry,
and it seems that the transition is very recent, so it makes sense that they
built the package.
Here's the question that prompted this report, during a yum install:
Importing GPG key 0x442DF0F8:
Userid : "PostgreSQL RPM Building Project
<pgsqlrpms-hackers@pgfoundry.org>"
Fingerprint: 68c9 e2b9 1a37 d136 fe74 d176 1f16 d2e1 442d f0f8
Package : pgdg-redhat-repo-42.0-9.noarch
(@/pgdg-redhat-repo-latest.noarch)
From : /etc/pki/rpm-gpg/RPM-GPG-KEY-PGDG
Is this ok [y/N]: