Dear List, repository metadata and packages on OBS are OpenPGP signed. That is a good thing in general to prevent malicious packages getting installed in case of server compromisation or a man-in-the-middle attack. However, signatures are only as good as the signing key can be trusted. At the moment after adding a buildservice repository, YaST prompts to accept the corresponding key. How can I verify that this key is genuine? Just blindly accepting the presented key will make the entire use of OpenPGP signatures worthless. If an attacker manages to compromise the server or manages to be the man-in-the-middle, he can just easily put his own key on the server (and I don't have much choice but to accept it blindly). For instance, today the key of the KDE4 community repository appears to have changed. How can I verify that this change is genuine and not the result of an attack? I can think of two possible solutions for this issue: 1) Sign the OBS repository keys with a trusted master key. This master key could become trusted either by being included in the openSUSE distribution or by being offered from a seperate SSL-secured web server. The advantage would be that the user does not have to check fingerprints of repository keys after the master key has been successfully imported. The disadvantage would be that it wouldn't really work for user repositories on OBS, since the level of trustworthiness can't possibly be determined for each and every OBS user. 2) Set up a seperate SSL-secured web server, where key fingerprints are listed for verification purposes. After YaST prompts me to accept a new key, I would then go to this website and check if the key fingerprint matches. The advantage would be that it would be quite easy to implement and that the user can decide which teams/persons he wants to trust. The disadvantage would be that most users would still just blindly import the keys, because they are lazy. :) Personally I prefer 2) for reasons of simplicity and flexibility. Both approaches could also be fit for managing the genuiness of not just repository keys (as outlined above) but also package signing keys (with the exception that package signing keys need to be provided first, since they are not available in the repositories themselves). What I fail to understand: Is package signing only useful when installing packages by hand? Because the repository metadata contains checksums for every package (and these checksums are hopefully checked during software installation), so trusted repository metadata should be enough to prevent the installation of malicious packages. If I am right, the possibility to verify package signing keys would be a nice service for people installing packages by hand, but not necessary for people installing packages from repositories. Regards, Stefan -- OpenPGP encrypted mail strongly preferred (key ID: 952559A9) Homepage: http://www.stefan-tittel.de