[opensuse-factory] "Would you like to trust this key?"
Hi,
I still have a factory box sitting around -- because it is such fun. After
a "zypper update -t package" sysinfo:/ has it as "openSUSE 10.3.1 (i586)
Alpha0".
I just did "zypper install htop" and got this:
Aktualisiere '10.3 - Update Repository'
Möchten Sie diesem Schlüssel A84EDAE89C800ACA, SuSE Package Signing Key
On Monday 29 October 2007 14:44, Wolfgang Woehl wrote:
Hi,
...
I just did "zypper install htop" and got this:
Aktualisiere '10.3 - Update Repository' Möchten Sie diesem Schlüssel A84EDAE89C800ACA, SuSE Package Signing Key
, Fingerabdruck 79C179B2E1C820C1890F9994A84EDAE89C800ACA vertrauen? [ja/nein] Which is german for "Would you like to trust this key?" and then
"Fingerabdruck?" Finger-poke?
... Wolfgang
I wanted to take this name in high-school German class, but someone beat me to it. I ended up with Gerhard. (That was a very long time ago, so you'll forgive my half-hearted attempt to translate "Fingerabdruck") Randall Schulz --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Montag, 29. Oktober 2007 Randall R Schulz:
"Fingerabdruck?" Finger-poke?
Ja, like in http://forums.xkcd.com/viewtopic.php?f=14&t=6334 Poke around and you leave fingerprints.
Wolfgang
I wanted to take this name in high-school German class, but someone beat me to it. I ended up with Gerhard.
How unfortunate. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Monday 29 October 2007 15:21, Wolfgang Woehl wrote:
...
Wolfgang
I wanted to take this name in high-school German class, but someone beat me to it. I ended up with Gerhard.
How unfortunate.
Now, now. My parents tell me they wanted to name me "Hans," (which, for some reason, they pronounce "hunce"—America has a way of corrupting our ancestors' languages...), but, thank god, there was already a Hans Schulz (probably Hans Schultz) in my little home town. ... Whew! I really dodged a bullet there! Randall Schulz --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Montag, 29. Oktober 2007 Randall R Schulz:
On Monday 29 October 2007 15:21, Wolfgang Woehl wrote:
...
Wolfgang
I wanted to take this name in high-school German class, but someone beat me to it. I ended up with Gerhard.
How unfortunate.
Now, now.
Just teasing
My parents tell me they wanted to name me "Hans," (which, for some reason, they pronounce "hunce"—America has a way of corrupting our ancestors' languages...), but, thank god, there was already a Hans Schulz (probably Hans Schultz) in my little home town. ... Whew! I really dodged a bullet there!
So you were supposed to be called "Hans", missed "Wolfgang" and got "Randall"? Should I trust your public key if I came across it? :) Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Randall R Schulz wrote:
On Monday 29 October 2007 15:21, Wolfgang Woehl wrote:
...
Wolfgang
I wanted to take this name in high-school German class, but someone beat me to it. I ended up with Gerhard.
How unfortunate.
Now, now.
My parents tell me they wanted to name me "Hans," (which, for some reason, they pronounce "hunce"—America has a way of corrupting our ancestors' languages...), but, thank god, there was already a Hans Schulz (probably Hans Schultz) in my little home town. ... Whew! I really dodged a bullet there!
Randall Schulz --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Frank Zappa was interviewed and he was asked: Aren't you afraid your children will get in trouble because of their names, Moon Unit and Dweezil? FZ answered: I don't think their first names will get them in trouble. But yes, they will probably get in trouble because of their last name. -- Vahis --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Mon, Oct 29, 2007 at 10:44:56PM +0100, Wolfgang Woehl wrote:
Hi,
I still have a factory box sitting around -- because it is such fun. After a "zypper update -t package" sysinfo:/ has it as "openSUSE 10.3.1 (i586) Alpha0".
I just did "zypper install htop" and got this:
Aktualisiere '10.3 - Update Repository' Möchten Sie diesem Schlüssel A84EDAE89C800ACA, SuSE Package Signing Key
, Fingerabdruck 79C179B2E1C820C1890F9994A84EDAE89C800ACA vertrauen? [ja/nein] Which is german for "Would you like to trust this key?" and then
Schlüssel A84EDAE89C800ACA zu den vertrauenswürdigen Schlüsseln hinzufügen? [ja/nein]
Which means "Add key to trusted keys?"
Same thing with the repositories 'FACTORY - Mozilla' and 'FACTORY - KDE:Community'.
So the chain of trust here is built by a script just asking? What was the security in this again? Would someone care to enrich this a tad for the upcoming 11.0? Like a note on how and where to check a new key?
Irritated, but hey: "No risk no fun" is what all dead rockstars said. Wolfgang
The build@suse.de is on the actual 10.3 media and the above code should not ask for it. There were bugs in 10.3 Beta versions that still did though. The openSUSE buildservice key needs to be imported though, it can be found on the website of the buildservice. A good trust management for keys was requested for several releases now, but has not happened so far. ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Dienstag, 30. Oktober 2007 Marcus Meissner:
A good trust management for keys was requested for several releases now, but has not happened so far.
Where can you even review which keys yast/zypper uses? Sure, a "good" trust management would be fine. But I fail to see *any* trust management to begin with. Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Wolfgang Woehl wrote:
Dienstag, 30. Oktober 2007 Marcus Meissner:
A good trust management for keys was requested for several releases now, but has not happened so far.
Where can you even review which keys yast/zypper uses?
rpm -qi gpg-pubkey | less (these are keys imported into the rpm db, but they'll usually match those used to sign the repos). find /var/lib/zypp/ -name '*.key' | xargs -L 1 gpg are the keys used by zypp. hth, Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Donnerstag, 1. November 2007 Michal Marek:
Wolfgang Woehl wrote:
Dienstag, 30. Oktober 2007 Marcus Meissner:
A good trust management for keys was requested for several releases now, but has not happened so far.
Where can you even review which keys yast/zypper uses?
rpm -qi gpg-pubkey | less (these are keys imported into the rpm db, but they'll usually match those used to sign the repos).
find /var/lib/zypp/ -name '*.key' | xargs -L 1 gpg are the keys used by zypp.
Hi Michal, So, please correct me if I'm wrong, in order to link, say, the packman key I have in rpmdb to some factual trust information like packman's website I have to 1. rpm -qi gpg-pubkey > rpmdb-signing_keys.txt (I don't see how you can fingerprint these with rpm so you need to ...) 2. gpg --import rpmdb-signing_keys.txt 3. gpg --fingerprint in the console? There is no way in yast to do this. Which leaves the majority of people with the non-choice of accepting a key they cannot check in order to install a package. Why do I have the feeling that I must be missing something here? That this just cannot be? Wolfgang --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thu, Nov 01, 2007 at 04:47:46PM +0100, Wolfgang Woehl wrote:
Donnerstag, 1. November 2007 Michal Marek:
Wolfgang Woehl wrote:
Dienstag, 30. Oktober 2007 Marcus Meissner:
A good trust management for keys was requested for several releases now, but has not happened so far.
Where can you even review which keys yast/zypper uses?
rpm -qi gpg-pubkey | less (these are keys imported into the rpm db, but they'll usually match those used to sign the repos).
find /var/lib/zypp/ -name '*.key' | xargs -L 1 gpg are the keys used by zypp.
Hi Michal, So, please correct me if I'm wrong, in order to link, say, the packman key I have in rpmdb to some factual trust information like packman's website I have to
1. rpm -qi gpg-pubkey > rpmdb-signing_keys.txt (I don't see how you can fingerprint these with rpm so you need to ...) 2. gpg --import rpmdb-signing_keys.txt 3. gpg --fingerprint
in the console?
There is no way in yast to do this. Which leaves the majority of people with the non-choice of accepting a key they cannot check in order to install a package.
Why do I have the feeling that I must be missing something here? That this just cannot be?
The feature of implementing a Trust / Key Management module in YAST is mandatory from the Security Teams PoV for openSUSE 11.0. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thursday 01 November 2007 11:38:22 am Michal Marek wrote:
rpm -qi gpg-pubkey | less (these are keys imported into the rpm db, but they'll usually match those used to sign the repos).
those are the trusted keys that are always seen as trusted
find /var/lib/zypp/ -name '*.key' | xargs -L 1 gpg are the keys used by zypp.
those are the known keys, can be untrusted --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (6)
-
Duncan Mac-Vicar P.
-
Marcus Meissner
-
Michal Marek
-
Randall R Schulz
-
Vahis
-
Wolfgang Woehl