I would like to know more about the risks of not verifying the GPG KEY.
Now I can't install chrome from yum on Amazon Linux2.
yum install -y google-chrome-stable
gpg key verification fails.
Failing package is: google-chrome-stable-114.0.5735.90-1.x86_64
GPG Keys are configured as: https://dl-ssl.google.com/linux/linux_signing_key.pub
I checked and found that the latest version of chrome is signed with a subkey of the gpg key, I've gotten to the point where I can't verify with the old package management system.
Nothing has been announced on google official, and I can't find any plans to fix it.
So here's the question.
I know that you can install it by downloading the chrome rpm directly or by setting yum's gpgcheck to 0.
Are there any possible security risks in this case? the risk i thought was
- Even if the chrome package is tampered with on the site hosting the chrome rpm, you won't notice
- If there is DNS poisoning, it downloads fake chrome from a fake site
Please let me know if any of the above is incorrect or if there are other risks.
