Hi, having the (public) signing key on the same media as signed data doesn't add much security, but I'm sure you know. As a poor man's compromise, you could add a md5sum file for every directory, and clear-sign that. That way people could check the MD5 sums the simple way, and if they want to be sure, they can check the signature of the md5sum file(s). I'm using that method for some projects... Regards, Ulrich On 4 Apr 2006 at 13:56, Marcus Meissner wrote:
On Tue, Apr 04, 2006 at 10:47:46AM +0200, houghi wrote:
On Tue, Apr 04, 2006 at 08:58:12AM +0200, Andreas Jaeger wrote:
"Michael DePaulo"
writes: Hey all,
First of all, it looks like the non-OSS software repository for opensuse beta9 isn't setup right.
ftp://ftp.suse.com/pub/suse/install/10.1/SUSE-Linux10.1-Beta9-Extra/
It looks more like a bug in YaST, please create a bugreprot against YaST with log files attached,
Could this be related to the checking with the content.key? If yes, how is the content.key calculated? On what is it based? (Perhaps people killfiled the makeSUSEdvd thread, so I ask here again)
Could we get any info on this security thing, or is is security through obscurity?
This security thing is very new thats why not much of it is documented yet.
- The content.key is a GPG public key, ascii armor protected.
- With this key, the content file is signed. The content file contains references to the metadata of CD, including more keys.
- YUM repodata also must be signed with one of those public keys to be accepted.
In the next beta/rc there will be key dialogs shown that allow accepting, importing keys and similar.
Ciao, Marcus
--------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory-help@opensuse.org