From Robert.Rose@qbeyond.de Wed Jun 30 11:06:57 2021
From: "Rose, Robert" <Robert.Rose@qbeyond.de>
To: buildservice@lists.opensuse.org
Subject: SSL Fingerprint Mismatch when using DoD Repositories
Date: Wed, 30 Jun 2021 11:06:40 +0000
Message-ID: <AM9PR10MB4022D645FE6BCF4C28008D1F86019@AM9PR10MB4022.EURPRD10.PROD.OUTLOOK.COM>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8299330737352894820=="

--===============8299330737352894820==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi all,

Can anybody explain to me in how the SSL fingerprint check for DoD repositori=
es works and why it is strongly recommended for security reasons in https://o=
penbuildservice.org/help/manuals/obs-user-guide/cha.obs.concepts.html#id-1.5.=
10.3.6.6?

We use DoD repositories to pin a tumbleweed snapshot we are working on in our=
 private OBS instance. Each repository has the the respective Tumbleweed snap=
shot at https://download.opensuse.org/history/ together with the SSL fingerpr=
int of download.opensuse.org<https://download.opensuse.org/history/> specifie=
d in its master subelement. However, since last week OBS refuses to download =
new DoD RPMs due to a fingerprint mismatch.

dodup.log says:
https://download.opensuse.org/history/20210622/tumbleweed/repo/oss/repodata/4=
4346e5394dbd93f9071bfba407c8d5e61766999c4bab37b943d892371f65430-primary.xml.g=
z: peer fingerprint does not match: 82bac52cf77a1ec92d2184ebb574a97ba28ba98b7=
b63c3c67656a16ff708fca5 !=3D 286869be29119fd068f94c0b1cd318068568c0b7f3036b30=
3f5d102e512be80f
Please notice that 82ba...fca5 is the (current!) fingerprint of download.open=
suse.org<https://download.opensuse.org/history/> and 2868...e80f is from ftp.=
gwdg.de/<https://ftp.gwdg.de/>, which makes kind of perfect sense as a curl o=
n https://download.opensuse.org/history/20210622/tumbleweed/repo/oss/repodata=
/44346e5394dbd93f9071bfba407c8d5e61766999c4bab37b943d892371f65430-primary.xml=
.gz on our download server gives the following response:
~> curl https://download.opensuse.org/history/20210622/tumbleweed/repo/oss/re=
podata/44346e5394dbd93f9071bfba407c8d5e61766999c4bab37b943d892371f65430-prima=
ry.xml.gz
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>302 Found</title>
</head><body>
<h1>Found</h1>
<p>The document has moved <a href=3D"https://ftp.gwdg.de/pub/opensuse/history=
/20210622/tumbleweed/repo/oss/repodata/44346e5394dbd93f9071bfba407c8d5e617669=
99c4bab37b943d892371f65430-primary.xml.gz">here</a>.</p>
<hr>
<address>Apache/2.4.43 (Linux/SUSE) Server at download.opensuse.org Port 443<=
/address>
</body></html>

Now to my questions: Is OBS expected to check the fingerprint of documents th=
at can be redirected? I would have expected it to check only the fingerprint =
of the repomd.xml file in the regarding repository. On other servers I get ot=
her redirects (e.g. http://ftp.halifax.rwth-aachen.de). Anyway, I fail to see=
 the sense of an SSL fingerprint check when resources can redirect to other d=
omains. Do I miss an important point here? Wouldn't it be sufficient to rely =
on the GPG signature of the RPMs? I am considering removing the master subele=
ment completely.

This issue does not have its origin in a rotated letsencrypt certificate, we =
already take that into account. However, a new certificate could be issued th=
e upcoming days so please do not look to closely on the specific fingerprints=
 mentioned in this post but the general questions about fingerprint checks in=
 DoD repositories.

Any help is greatly appreciated.

Regards,
Robert

Appendix: Examplary DoD configuration in our OBS

  <repository name=3D"next">
    <download arch=3D"x86_64" url=3D"https://download.opensuse.org/history/20=
210623/tumbleweed/repo/oss/" repotype=3D"rpmmd">
      <master url=3D"https://download.opensuse.org/history/20210623/tumblewee=
d/repo/oss/" sslfingerprint=3D"sha256:82bac52cf77a1ec92d2184ebb574a97ba28ba98=
b7b63c3c67656a16ff708fca5"/>
      <archfilter>x86_64</archfilter>
      <pubkey>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)

mQENBEkUTD8BCADWLy5d5IpJedHQQSXkC1VK/oAZlJEeBVpSZjMCn8LiHaI9Wq3G
3Vp6wvsP1b3kssJGzVFNctdXt5tjvOLxvrEfRJuGfqHTKILByqLzkeyWawbFNfSQ
93/8OunfSTXC1Sx3hgsNXQuOrNVKrDAQUqT620/jj94xNIg09bLSxsjN6EeTvyiO
mtE9H1J03o9tY6meNL/gcQhxBvwuo205np0JojYBP0pOfN8l9hnIOLkA0yu4ZXig
oKOVmf4iTjX4NImIWldT+UaWTO18NWcCrujtgHueytwYLBNV5N0oJIP2VYuLZfSD
VYuPllv7c6O2UEOXJsdbQaVuzU1HLocDyipnABEBAAG0NG9wZW5TVVNFIFByb2pl
Y3QgU2lnbmluZyBLZXkgPG9wZW5zdXNlQG9wZW5zdXNlLm9yZz6JATwEEwECACYC
GwMGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAUCU2dN1AUJHR8ElQAKCRC4iy/UPb3C
hGQrB/9teCZ3Nt8vHE0SC5NmYMAE1Spcjkzx6M4r4C70AVTMEQh/8BvgmwkKP/qI
CWo2vC1hMXRgLg/TnTtFDq7kW+mHsCXmf5OLh2qOWCKi55Vitlf6bmH7n+h34Sha
Ei8gAObSpZSF8BzPGl6v0QmEaGKM3O1oUbbB3Z8i6w21CTg7dbU5vGR8Yhi9rNtr
hqrPS+q2yftjNbsODagaOUb85ESfQGx/LqoMePD+7MqGpAXjKMZqsEDP0TbxTwSk
4UKnF4zFCYHPLK3y/hSH5SEJwwPY11l6JGdC1Ue8Zzaj7f//axUs/hTC0UZaEE+a
5v4gbqOcigKaFs9Lc3Bj8b/lE10Y
=3Di2TA
-----END PGP PUBLIC KEY BLOCK-----
      </pubkey>
    </download>
    <arch>x86_64</arch>
  </repository>

--

Robert Rose
Embedded System Engineer
Edge Device Competence Center




--===============8299330737352894820==
Content-Type: text/html
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="attachment.htm"
MIME-Version: 1.0

PGh0bWw+CjxoZWFkPgo8bWV0YSBodHRwLWVxdWl2PSJDb250ZW50LVR5cGUiIGNvbnRlbnQ9InRl
eHQvaHRtbDsgY2hhcnNldD1pc28tODg1OS0xIj4KPHN0eWxlIHR5cGU9InRleHQvY3NzIiBzdHls
ZT0iZGlzcGxheTpub25lOyI+IFAge21hcmdpbi10b3A6MDttYXJnaW4tYm90dG9tOjA7fSA8L3N0
eWxlPgo8L2hlYWQ+Cjxib2R5IGRpcj0ibHRyIj4KPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IENh
bGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTJwdDsgY29s
b3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyI+
CkhpIGFsbCw8YnI+Cjxicj4KQ2FuIGFueWJvZHkgZXhwbGFpbiB0byBtZSBpbiBob3cgdGhlIFNT
TCBmaW5nZXJwcmludCBjaGVjayBmb3IgRG9EIHJlcG9zaXRvcmllcyB3b3JrcyBhbmQgd2h5IGl0
IGlzIHN0cm9uZ2x5IHJlY29tbWVuZGVkIGZvciBzZWN1cml0eSByZWFzb25zIGluCjxhIGhyZWY9
Imh0dHBzOi8vb3BlbmJ1aWxkc2VydmljZS5vcmcvaGVscC9tYW51YWxzL29icy11c2VyLWd1aWRl
L2NoYS5vYnMuY29uY2VwdHMuaHRtbCNpZC0xLjUuMTAuMy42LjYiIGlkPSJMUGxuazYwMTM1NyI+
Cmh0dHBzOi8vb3BlbmJ1aWxkc2VydmljZS5vcmcvaGVscC9tYW51YWxzL29icy11c2VyLWd1aWRl
L2NoYS5vYnMuY29uY2VwdHMuaHRtbCNpZC0xLjUuMTAuMy42LjY8L2E+PzwvZGl2Pgo8ZGl2IHN0
eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsg
Zm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5kLWNvbG9yOiBy
Z2IoMjU1LCAyNTUsIDI1NSk7Ij4KPGJyPgo8L2Rpdj4KPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6
IENhbGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTJwdDsg
Y29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUp
OyI+CldlIHVzZSBEb0QgcmVwb3NpdG9yaWVzIHRvIHBpbiBhIHR1bWJsZXdlZWQgc25hcHNob3Qg
d2UgYXJlIHdvcmtpbmcgb24gaW4gb3VyIHByaXZhdGUgT0JTIGluc3RhbmNlLiBFYWNoIHJlcG9z
aXRvcnkgaGFzIHRoZSB0aGUgcmVzcGVjdGl2ZSBUdW1ibGV3ZWVkIHNuYXBzaG90IGF0CjxhIGhy
ZWY9Imh0dHBzOi8vZG93bmxvYWQub3BlbnN1c2Uub3JnL2hpc3RvcnkvIiBpZD0iTFBsbms0NzYx
MzkiPmh0dHBzOi8vZG93bmxvYWQub3BlbnN1c2Uub3JnL2hpc3RvcnkvPC9hPiB0b2dldGhlciB3
aXRoIHRoZSBTU0wgZmluZ2VycHJpbnQgb2YKPGEgaHJlZj0iaHR0cHM6Ly9kb3dubG9hZC5vcGVu
c3VzZS5vcmcvaGlzdG9yeS8iIGlkPSJMUGxuayI+ZG93bmxvYWQub3BlbnN1c2Uub3JnPC9hPiBz
cGVjaWZpZWQgaW4gaXRzIG1hc3RlciBzdWJlbGVtZW50LiBIb3dldmVyLCBzaW5jZSBsYXN0IHdl
ZWsgT0JTIHJlZnVzZXMgdG8gZG93bmxvYWQgbmV3IERvRCBSUE1zIGR1ZSB0byBhIGZpbmdlcnBy
aW50IG1pc21hdGNoLjxicj4KPC9kaXY+CjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJp
LCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHQ7IGNvbG9yOiBy
Z2IoMCwgMCwgMCk7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPgo8YnI+
CjwvZGl2Pgo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGlj
YSwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNr
Z3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij4KZG9kdXAubG9nIHNheXM6Jm5ic3A7
PC9kaXY+CjxibG9ja3F1b3RlIHN0eWxlPSJib3JkZXItY29sb3I6IHJnYigyMDAsIDIwMCwgMjAw
KTsgYm9yZGVyLWxlZnQ6IDNweCBzb2xpZCByZ2IoMjAwLCAyMDAsIDIwMCk7IHBhZGRpbmctbGVm
dDogMWV4OyBtYXJnaW4tbGVmdDogMC44ZXg7IiBpdGVtc2NvcGU9IiIgaXRlbXR5cGU9Imh0dHBz
Oi8vc2NoZW1hcy5taWNyb3NvZnQuY29tL1F1b3RlZFRleHQiPgo8ZGl2IHN0eWxlPSJmb250LWZh
bWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAx
MnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUs
IDI1NSk7Ij4KaHR0cHM6Ly9kb3dubG9hZC5vcGVuc3VzZS5vcmcvaGlzdG9yeS8yMDIxMDYyMi90
dW1ibGV3ZWVkL3JlcG8vb3NzL3JlcG9kYXRhLzQ0MzQ2ZTUzOTRkYmQ5M2Y5MDcxYmZiYTQwN2M4
ZDVlNjE3NjY5OTljNGJhYjM3Yjk0M2Q4OTIzNzFmNjU0MzAtcHJpbWFyeS54bWwuZ3o6IHBlZXIg
ZmluZ2VycHJpbnQgZG9lcyBub3QgbWF0Y2g6IDgyYmFjNTJjZjc3YTFlYzkyZDIxODRlYmI1NzRh
OTdiYTI4YmE5OGI3YjYzYzNjNjc2NTZhMTZmZjcwOGZjYTUgIT0KIDI4Njg2OWJlMjkxMTlmZDA2
OGY5NGMwYjFjZDMxODA2ODU2OGMwYjdmMzAzNmIzMDNmNWQxMDJlNTEyYmU4MGY8YnI+CjwvZGl2
Pgo8L2Jsb2NrcXVvdGU+CjxkaXYgY2xhc3M9Il9FbnRpdHkgX0VUeXBlX09XQUxpbmtQcmV2aWV3
IF9FSWRfT1dBTGlua1ByZXZpZXcgX0VSZWFkb25seV8xIj48L2Rpdj4KPGRpdiBzdHlsZT0iZm9u
dC1mYW1pbHk6IENhbGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6
ZTogMTJwdDsgY29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwg
MjU1LCAyNTUpOyI+ClBsZWFzZSBub3RpY2UgdGhhdCA4MmJhLi4uZmNhNSBpcyB0aGUgKGN1cnJl
bnQhKSBmaW5nZXJwcmludCBvZiA8YSBocmVmPSJodHRwczovL2Rvd25sb2FkLm9wZW5zdXNlLm9y
Zy9oaXN0b3J5LyI+CmRvd25sb2FkLm9wZW5zdXNlLm9yZzwvYT4gYW5kIDI4NjguLi5lODBmIGlz
IGZyb20gPGEgaHJlZj0iaHR0cHM6Ly9mdHAuZ3dkZy5kZS8iIGlkPSJMUGxuazY4Mjg5NiI+CmZ0
cC5nd2RnLmRlLzwvYT4sIHdoaWNoIG1ha2VzIGtpbmQgb2YgcGVyZmVjdCBzZW5zZSBhcyBhIGN1
cmwgb24gPGEgaHJlZj0iaHR0cHM6Ly9kb3dubG9hZC5vcGVuc3VzZS5vcmcvaGlzdG9yeS8yMDIx
MDYyMi90dW1ibGV3ZWVkL3JlcG8vb3NzL3JlcG9kYXRhLzQ0MzQ2ZTUzOTRkYmQ5M2Y5MDcxYmZi
YTQwN2M4ZDVlNjE3NjY5OTljNGJhYjM3Yjk0M2Q4OTIzNzFmNjU0MzAtcHJpbWFyeS54bWwuZ3oi
IGlkPSJMUGxuazY0OTMxMSI+Cmh0dHBzOi8vZG93bmxvYWQub3BlbnN1c2Uub3JnL2hpc3Rvcnkv
MjAyMTA2MjIvdHVtYmxld2VlZC9yZXBvL29zcy9yZXBvZGF0YS80NDM0NmU1Mzk0ZGJkOTNmOTA3
MWJmYmE0MDdjOGQ1ZTYxNzY2OTk5YzRiYWIzN2I5NDNkODkyMzcxZjY1NDMwLXByaW1hcnkueG1s
Lmd6PC9hPiBvbiBvdXIgZG93bmxvYWQgc2VydmVyIGdpdmVzIHRoZSBmb2xsb3dpbmcgcmVzcG9u
c2U6PC9kaXY+CjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpLCBBcmlhbCwgSGVsdmV0
aWNhLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHQ7IGNvbG9yOiByZ2IoMCwgMCwgMCk7IGJh
Y2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPgo8YmxvY2txdW90ZSBzdHlsZT0i
Ym9yZGVyLWNvbG9yOiByZ2IoMjAwLCAyMDAsIDIwMCk7IGJvcmRlci1sZWZ0OiAzcHggc29saWQg
cmdiKDIwMCwgMjAwLCAyMDApOyBwYWRkaW5nLWxlZnQ6IDFleDsgbWFyZ2luLWxlZnQ6IDAuOGV4
OyIgaXRlbXNjb3BlPSIiIGl0ZW10eXBlPSJodHRwczovL3NjaGVtYXMubWljcm9zb2Z0LmNvbS9R
dW90ZWRUZXh0Ij4KfiZndDsgY3VybCBodHRwczovL2Rvd25sb2FkLm9wZW5zdXNlLm9yZy9oaXN0
b3J5LzIwMjEwNjIyL3R1bWJsZXdlZWQvcmVwby9vc3MvcmVwb2RhdGEvNDQzNDZlNTM5NGRiZDkz
ZjkwNzFiZmJhNDA3YzhkNWU2MTc2Njk5OWM0YmFiMzdiOTQzZDg5MjM3MWY2NTQzMC1wcmltYXJ5
LnhtbC5nego8ZGl2PiZsdDshRE9DVFlQRSBIVE1MIFBVQkxJQyAmcXVvdDstLy9JRVRGLy9EVEQg
SFRNTCAyLjAvL0VOJnF1b3Q7Jmd0OzwvZGl2Pgo8ZGl2PiZsdDtodG1sJmd0OyZsdDtoZWFkJmd0
OzwvZGl2Pgo8ZGl2PiZsdDt0aXRsZSZndDszMDIgRm91bmQmbHQ7L3RpdGxlJmd0OzwvZGl2Pgo8
ZGl2PiZsdDsvaGVhZCZndDsmbHQ7Ym9keSZndDs8L2Rpdj4KPGRpdj4mbHQ7aDEmZ3Q7Rm91bmQm
bHQ7L2gxJmd0OzwvZGl2Pgo8ZGl2PiZsdDtwJmd0O1RoZSBkb2N1bWVudCBoYXMgbW92ZWQgJmx0
O2EgaHJlZj0mcXVvdDtodHRwczovL2Z0cC5nd2RnLmRlL3B1Yi9vcGVuc3VzZS9oaXN0b3J5LzIw
MjEwNjIyL3R1bWJsZXdlZWQvcmVwby9vc3MvcmVwb2RhdGEvNDQzNDZlNTM5NGRiZDkzZjkwNzFi
ZmJhNDA3YzhkNWU2MTc2Njk5OWM0YmFiMzdiOTQzZDg5MjM3MWY2NTQzMC1wcmltYXJ5LnhtbC5n
eiZxdW90OyZndDtoZXJlJmx0Oy9hJmd0Oy4mbHQ7L3AmZ3Q7PC9kaXY+CjxkaXY+Jmx0O2hyJmd0
OzwvZGl2Pgo8ZGl2PiZsdDthZGRyZXNzJmd0O0FwYWNoZS8yLjQuNDMgKExpbnV4L1NVU0UpIFNl
cnZlciBhdCBkb3dubG9hZC5vcGVuc3VzZS5vcmcgUG9ydCA0NDMmbHQ7L2FkZHJlc3MmZ3Q7PC9k
aXY+CiZsdDsvYm9keSZndDsmbHQ7L2h0bWwmZ3Q7PGJyPgo8L2Jsb2NrcXVvdGU+CjwvZGl2Pgo8
ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1z
ZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5kLWNv
bG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij4KPGJyPgo8L2Rpdj4KPGRpdiBzdHlsZT0iZm9udC1m
YW1pbHk6IENhbGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTog
MTJwdDsgY29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1
LCAyNTUpOyI+Ck5vdyB0byBteSBxdWVzdGlvbnM6IElzIE9CUyBleHBlY3RlZCB0byBjaGVjayB0
aGUgZmluZ2VycHJpbnQgb2YgZG9jdW1lbnRzIHRoYXQgY2FuIGJlIHJlZGlyZWN0ZWQ/IEkgd291
bGQgaGF2ZSBleHBlY3RlZCBpdCB0byBjaGVjayBvbmx5IHRoZSBmaW5nZXJwcmludCBvZiB0aGUg
cmVwb21kLnhtbCBmaWxlIGluIHRoZSByZWdhcmRpbmcgcmVwb3NpdG9yeS4gT24gb3RoZXIgc2Vy
dmVycyBJIGdldCBvdGhlciByZWRpcmVjdHMgKGUuZy4KPGEgaHJlZj0iaHR0cDovL2Z0cC5oYWxp
ZmF4LnJ3dGgtYWFjaGVuLmRlIiBpZD0iTFBsbmsiPmh0dHA6Ly9mdHAuaGFsaWZheC5yd3RoLWFh
Y2hlbi5kZTwvYT4pLiBBbnl3YXksIEkgZmFpbCB0byBzZWUgdGhlIHNlbnNlIG9mIGFuIFNTTCBm
aW5nZXJwcmludCBjaGVjayB3aGVuIHJlc291cmNlcyBjYW4gcmVkaXJlY3QgdG8gb3RoZXIgZG9t
YWlucy4gRG8gSSBtaXNzIGFuIGltcG9ydGFudCBwb2ludCBoZXJlPyBXb3VsZG4ndCBpdCBiZSBz
dWZmaWNpZW50CiB0byByZWx5IG9uIHRoZSBHUEcgc2lnbmF0dXJlIG9mIHRoZSBSUE1zPyBJIGFt
IGNvbnNpZGVyaW5nIHJlbW92aW5nIHRoZSBtYXN0ZXIgc3ViZWxlbWVudCBjb21wbGV0ZWx5Lgo8
YnI+CjwvZGl2Pgo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZl
dGljYSwgc2Fucy1zZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBi
YWNrZ3JvdW5kLWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij4KPGJyPgo8L2Rpdj4KPGRpdiBz
dHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7
IGZvbnQtc2l6ZTogMTJwdDsgY29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjog
cmdiKDI1NSwgMjU1LCAyNTUpOyI+ClRoaXMgaXNzdWUgZG9lcyBub3QgaGF2ZSBpdHMgb3JpZ2lu
IGluIGEgcm90YXRlZCBsZXRzZW5jcnlwdCBjZXJ0aWZpY2F0ZSwgd2UgYWxyZWFkeSB0YWtlIHRo
YXQgaW50byBhY2NvdW50LiBIb3dldmVyLCBhIG5ldyBjZXJ0aWZpY2F0ZSBjb3VsZCBiZSBpc3N1
ZWQgdGhlIHVwY29taW5nIGRheXMgc28gcGxlYXNlIGRvIG5vdCBsb29rIHRvIGNsb3NlbHkgb24g
dGhlIHNwZWNpZmljIGZpbmdlcnByaW50cyBtZW50aW9uZWQgaW4gdGhpcyBwb3N0IGJ1dAogdGhl
IGdlbmVyYWwgcXVlc3Rpb25zIGFib3V0IGZpbmdlcnByaW50IGNoZWNrcyBpbiBEb0QgcmVwb3Np
dG9yaWVzLjxicj4KPC9kaXY+CjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpLCBBcmlh
bCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHQ7IGNvbG9yOiByZ2IoMCwg
MCwgMCk7IGJhY2tncm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPgo8YnI+CjwvZGl2
Pgo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fu
cy1zZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5k
LWNvbG9yOiByZ2IoMjU1LCAyNTUsIDI1NSk7Ij4KQW55IGhlbHAgaXMgZ3JlYXRseSBhcHByZWNp
YXRlZC48L2Rpdj4KPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6IENhbGlicmksIEFyaWFsLCBIZWx2
ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTJwdDsgY29sb3I6IHJnYigwLCAwLCAwKTsg
YmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUpOyI+Cjxicj4KPC9kaXY+CjxkaXYg
c3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpLCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlm
OyBmb250LXNpemU6IDEycHQ7IGNvbG9yOiByZ2IoMCwgMCwgMCk7IGJhY2tncm91bmQtY29sb3I6
IHJnYigyNTUsIDI1NSwgMjU1KTsiPgpSZWdhcmRzLAo8ZGl2PlJvYmVydDwvZGl2Pgo8YnI+Cjwv
ZGl2Pgo8ZGl2IGNsYXNzPSJfRW50aXR5IF9FVHlwZV9PV0FMaW5rUHJldmlldyBfRUlkX09XQUxp
bmtQcmV2aWV3XzEgX0VSZWFkb25seV8xIj48L2Rpdj4KPGRpdiBzdHlsZT0iZm9udC1mYW1pbHk6
IENhbGlicmksIEFyaWFsLCBIZWx2ZXRpY2EsIHNhbnMtc2VyaWY7IGZvbnQtc2l6ZTogMTJwdDsg
Y29sb3I6IHJnYigwLCAwLCAwKTsgYmFja2dyb3VuZC1jb2xvcjogcmdiKDI1NSwgMjU1LCAyNTUp
OyI+CkFwcGVuZGl4OiBFeGFtcGxhcnkgRG9EIGNvbmZpZ3VyYXRpb24gaW4gb3VyIE9CUzxicj4K
PC9kaXY+CjxkaXYgc3R5bGU9ImZvbnQtZmFtaWx5OiBDYWxpYnJpLCBBcmlhbCwgSGVsdmV0aWNh
LCBzYW5zLXNlcmlmOyBmb250LXNpemU6IDEycHQ7IGNvbG9yOiByZ2IoMCwgMCwgMCk7IGJhY2tn
cm91bmQtY29sb3I6IHJnYigyNTUsIDI1NSwgMjU1KTsiPgo8YnI+CjwvZGl2Pgo8ZGl2IHN0eWxl
PSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1zZXJpZjsgZm9u
dC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyBiYWNrZ3JvdW5kLWNvbG9yOiByZ2Io
MjU1LCAyNTUsIDI1NSk7Ij4KPGJsb2NrcXVvdGUgc3R5bGU9ImJvcmRlci1jb2xvcjogcmdiKDIw
MCwgMjAwLCAyMDApOyBib3JkZXItbGVmdDogM3B4IHNvbGlkIHJnYigyMDAsIDIwMCwgMjAwKTsg
cGFkZGluZy1sZWZ0OiAxZXg7IG1hcmdpbi1sZWZ0OiAwLjhleDsiIGl0ZW1zY29wZT0iIiBpdGVt
dHlwZT0iaHR0cHM6Ly9zY2hlbWFzLm1pY3Jvc29mdC5jb20vUXVvdGVkVGV4dCI+CiZuYnNwOyAm
bHQ7cmVwb3NpdG9yeSBuYW1lPSZxdW90O25leHQmcXVvdDsmZ3Q7CjxkaXY+Jm5ic3A7ICZuYnNw
OyAmbHQ7ZG93bmxvYWQgYXJjaD0mcXVvdDt4ODZfNjQmcXVvdDsgdXJsPSZxdW90O2h0dHBzOi8v
ZG93bmxvYWQub3BlbnN1c2Uub3JnL2hpc3RvcnkvMjAyMTA2MjMvdHVtYmxld2VlZC9yZXBvL29z
cy8mcXVvdDsgcmVwb3R5cGU9JnF1b3Q7cnBtbWQmcXVvdDsmZ3Q7PC9kaXY+CjxkaXY+Jm5ic3A7
Jm5ic3A7Jm5ic3A7Jm5ic3A7Jm5ic3A7ICZsdDttYXN0ZXIgdXJsPSZxdW90O2h0dHBzOi8vZG93
bmxvYWQub3BlbnN1c2Uub3JnL2hpc3RvcnkvMjAyMTA2MjMvdHVtYmxld2VlZC9yZXBvL29zcy8m
cXVvdDsgc3NsZmluZ2VycHJpbnQ9JnF1b3Q7c2hhMjU2OjgyYmFjNTJjZjc3YTFlYzkyZDIxODRl
YmI1NzRhOTdiYTI4YmE5OGI3YjYzYzNjNjc2NTZhMTZmZjcwOGZjYTUmcXVvdDsvJmd0Ozxicj4K
PC9kaXY+CjxkaXY+Jm5ic3A7ICZuYnNwOyAmbmJzcDsgJmx0O2FyY2hmaWx0ZXImZ3Q7eDg2XzY0
Jmx0Oy9hcmNoZmlsdGVyJmd0OzwvZGl2Pgo8ZGl2PiZuYnNwOyAmbmJzcDsgJm5ic3A7ICZsdDtw
dWJrZXkmZ3Q7PC9kaXY+CjxkaXY+LS0tLS1CRUdJTiBQR1AgUFVCTElDIEtFWSBCTE9DSy0tLS0t
PC9kaXY+CjxkaXY+VmVyc2lvbjogR251UEcgdjIuMC4xNSAoR05VL0xpbnV4KTwvZGl2Pgo8ZGl2
Pjxicj4KPC9kaXY+CjxkaXY+bVFFTkJFa1VURDhCQ0FEV0x5NWQ1SXBKZWRIUVFTWGtDMVZLL29B
WmxKRWVCVnBTWmpNQ244TGlIYUk5V3EzRzwvZGl2Pgo8ZGl2PjNWcDZ3dnNQMWIza3NzSkd6VkZO
Y3RkWHQ1dGp2T0x4dnJFZlJKdUdmcUhUS0lMQnlxTHprZXlXYXdiRk5mU1E8L2Rpdj4KPGRpdj45
My84T3VuZlNUWEMxU3gzaGdzTlhRdU9yTlZLckRBUVVxVDYyMC9qajk0eE5JZzA5YkxTeHNqTjZF
ZVR2eWlPPC9kaXY+CjxkaXY+bXRFOUgxSjAzbzl0WTZtZU5ML2djUWh4QnZ3dW8yMDVucDBKb2pZ
QlAwcE9mTjhsOWhuSU9Ma0EweXU0WlhpZzwvZGl2Pgo8ZGl2Pm9LT1ZtZjRpVGpYNE5JbUlXbGRU
K1VhV1RPMThOV2NDcnVqdGdIdWV5dHdZTEJOVjVOMG9KSVAyVll1TFpmU0Q8L2Rpdj4KPGRpdj5W
WXVQbGx2N2M2TzJVRU9YSnNkYlFhVnV6VTFITG9jRHlpcG5BQkVCQUFHME5HOXdaVzVUVlZORklG
QnliMnBsPC9kaXY+CjxkaXY+WTNRZ1UybG5ibWx1WnlCTFpYa2dQRzl3Wlc1emRYTmxRRzl3Wlc1
emRYTmxMbTl5Wno2SkFUd0VFd0VDQUNZQzwvZGl2Pgo8ZGl2Pkd3TUdDd2tJQndNQ0JCVUNDQU1F
RmdJREFRSWVBUUlYZ0FVQ1UyZE4xQVVKSFI4RWxRQUtDUkM0aXkvVVBiM0M8L2Rpdj4KPGRpdj5o
R1FyQi85dGVDWjNOdDh2SEUwU0M1Tm1ZTUFFMVNwY2preng2TTRyNEM3MEFWVE1FUWgvOEJ2Z213
a0tQL3FJPC9kaXY+CjxkaXY+Q1dvMnZDMWhNWFJnTGcvVG5UdEZEcTdrVyttSHNDWG1mNU9MaDJx
T1dDS2k1NVZpdGxmNmJtSDduK2gzNFNoYTwvZGl2Pgo8ZGl2PkVpOGdBT2JTcFpTRjhCelBHbDZ2
MFFtRWFHS00zTzFvVWJiQjNaOGk2dzIxQ1RnN2RiVTV2R1I4WWhpOXJOdHI8L2Rpdj4KPGRpdj5o
cXJQUytxMnlmdGpOYnNPRGFnYU9VYjg1RVNmUUd4L0xxb01lUEQrN01xR3BBWGpLTVpxc0VEUDBU
YnhUd1NrPC9kaXY+CjxkaXY+NFVLbkY0ekZDWUhQTEszeS9oU0g1U0VKd3dQWTExbDZKR2RDMVVl
OFp6YWo3Zi8vYXhVcy9oVEMwVVphRUUrYTwvZGl2Pgo8ZGl2PjV2NGdicU9jaWdLYUZzOUxjM0Jq
OGIvbEUxMFk8L2Rpdj4KPGRpdj49aTJUQTwvZGl2Pgo8ZGl2Pi0tLS0tRU5EIFBHUCBQVUJMSUMg
S0VZIEJMT0NLLS0tLS08L2Rpdj4KPGRpdj4mbmJzcDsgJm5ic3A7ICZuYnNwOyAmbHQ7L3B1Ymtl
eSZndDs8L2Rpdj4KPGRpdj4mbmJzcDsgJm5ic3A7ICZsdDsvZG93bmxvYWQmZ3Q7PC9kaXY+Cjxk
aXY+Jm5ic3A7ICZuYnNwOyAmbHQ7YXJjaCZndDt4ODZfNjQmbHQ7L2FyY2gmZ3Q7PC9kaXY+CiZu
YnNwOyAmbHQ7L3JlcG9zaXRvcnkmZ3Q7PGJyPgo8L2Jsb2NrcXVvdGU+CjwvZGl2Pgo8ZGl2Pgo8
ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwgc2Fucy1z
ZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyI+Cjxicj4KPC9kaXY+
CjxkaXYgaWQ9IlNpZ25hdHVyZSI+CjxkaXY+CjxkaXY+PC9kaXY+CjxkaXYgc3R5bGU9ImZvbnQt
ZmFtaWx5OiBDYWxpYnJpLCBBcmlhbCwgSGVsdmV0aWNhLCBzYW5zLXNlcmlmOyBmb250LXNpemU6
IDEycHQ7IGNvbG9yOiByZ2IoMCwgMCwgMCk7Ij4KPGRpdj48c3BhbiBzdHlsZT0iZm9udC1zaXpl
OjEycHQiPi0tPC9zcGFuPjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTFwdCI+PGJyPgo8L3NwYW4+
PC9kaXY+CjxkaXY+PHNwYW4gc3R5bGU9ImZvbnQtc2l6ZToxMXB0Ij48YnI+Cjwvc3Bhbj48L2Rp
dj4KPGRpdj48c3BhbiBzdHlsZT0iZm9udC1zaXplOjEycHQiPlJvYmVydCBSb3NlPC9zcGFuPjwv
ZGl2Pgo8ZGl2PjxzcGFuIHN0eWxlPSJmb250LXNpemU6MTJwdCI+RW1iZWRkZWQgU3lzdGVtIEVu
Z2luZWVyPGJyPgo8L3NwYW4+PC9kaXY+CkVkZ2UgRGV2aWNlIENvbXBldGVuY2UgQ2VudGVyIDwv
ZGl2Pgo8ZGl2IHN0eWxlPSJmb250LWZhbWlseTogQ2FsaWJyaSwgQXJpYWwsIEhlbHZldGljYSwg
c2Fucy1zZXJpZjsgZm9udC1zaXplOiAxMnB0OyBjb2xvcjogcmdiKDAsIDAsIDApOyI+Cjxicj4K
PC9kaXY+CjwvZGl2Pgo8L2Rpdj4KPC9kaXY+CjwvYm9keT4KPC9odG1sPgo=

--===============8299330737352894820==--


From andrii.nikitin@suse.com Wed Jun 30 17:00:11 2021
From: Andrii Nikitin <andrii.nikitin@suse.com>
To: buildservice@lists.opensuse.org
Subject: Re: SSL Fingerprint Mismatch when using DoD Repositories
Date: Wed, 30 Jun 2021 17:00:00 +0000
Message-ID:
 <162507240076.6758.10079743732093460778@mailman3.infra.opensuse.org>
In-Reply-To: =?utf-8?q?=3CAM9PR10MB4022D645FE6BCF4C28008D1F86019=40AM9PR10MB?=
 =?utf-8?q?4022=2EEURPRD10=2EPROD=2EOUTLOOK=2ECOM=3E?=
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============8103698268927382839=="

--===============8103698268927382839==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hi Robert,

(I am not a big OBS expert, (and especially DoD part of OBS, which I heard fi=
rst time today), so I hope somebody will provide more strict answer).

I think your concern is valid, and it is something which may be improved insi=
de OBS, because e.g. zypper and other utilities are fine to be redirected to =
mirrors without compromising security.

But, if you need assistance with the error itself - a solution may be  to use=
 particular mirror in your country (instead of download.opensuse.org), or htt=
ps://downloadcontent.opensuse.org (that will not redirect to mirrors).

--===============8103698268927382839==--


From adrian@suse.de Thu Jul  1 06:05:46 2021
From: Adrian =?utf-8?q?Schr=C3=B6ter?= <adrian@suse.de>
To: buildservice@lists.opensuse.org
Subject: Re: SSL Fingerprint Mismatch when using DoD Repositories
Date: Thu, 01 Jul 2021 08:05:38 +0200
Message-ID: <3459309.R56niFO833@linux-jot1>
In-Reply-To:
 <162507240076.6758.10079743732093460778@mailman3.infra.opensuse.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3232694584691239749=="

--===============3232694584691239749==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

On Mittwoch, 30. Juni 2021, 19:00:00 CEST Andrii Nikitin wrote:
> Hi Robert,
>=20
> (I am not a big OBS expert, (and especially DoD part of OBS, which I heard =
first time today), so I hope somebody will provide more strict answer).
>=20
> I think your concern is valid, and it is something which may be improved in=
side OBS, because e.g. zypper and other utilities are fine to be redirected t=
o mirrors without compromising security.
>=20
> But, if you need assistance with the error itself - a solution may be  to u=
se particular mirror in your country (instead of download.opensuse.org), or h=
ttps://downloadcontent.opensuse.org (that will not redirect to mirrors).


zypper and friends are validating repositories and packages using GPG.

The GPG key is only owned by the provider of a package. While SSL certificates
are created by third party authorities. Also in case of a redirect each mirror
would have control over the content which can not verified.

Therefore it is recommended to pin the SSL ceritifcate to the single owner
you trust for your repository meta data. (the packages can come from a mirror
and can get verified via the meta data).

--=20

Adrian Schroeter <adrian(a)suse.de>
Build Infrastructure Project Manager

SUSE Software Solutions Germany GmbH,  Maxfeldstr. 5, 90409 Nuernberg, Germany
(HRB 247165, AG M=C3=BCnchen), Gesch=C3=A4ftsf=C3=BChrer: Felix Imend=C3=B6rf=
fer

--===============3232694584691239749==--