[opensuse-factory] how to sign a dud?
Hello, I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Mandag 15 december 2008 10:01:04 skrev Peter Czanik:
I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash
I think this is what you need: http://en.opensuse.org/Secure_Installation_Sources .. could be wrong :-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, Martin Schlander írta:
I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash
I think this is what you need: http://en.opensuse.org/Secure_Installation_Sources
Does it mean, that if I want to sign my DUD, then I also need to provide a modified initrd? Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Tirsdag 16 december 2008 14:49:49 skrev Peter Czanik:
Martin Schlander írta:
I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash
I think this is what you need: http://en.opensuse.org/Secure_Installation_Sources
Does it mean, that if I want to sign my DUD, then I also need to provide a modified initrd?
In all honesty I don't know what I'm talking about here - I just assumed you used a repomd/yum repository for your thingy, and all you needed to do was gpg-sign the repomd.xml and include your public key. http://en.opensuse.org/Secure_Installation_Sources#The_.22repomd.22_or_.22YU... Of course this means the users would have to trust and import the key. Maybe I completely misunderstood what's going on. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Hello, Martin Schlander írta:
In all honesty I don't know what I'm talking about here - I just assumed you used a repomd/yum repository for your thingy, and all you needed to do was gpg-sign the repomd.xml and include your public key.
A driver update is not a repository, but a single squashfs file containing some fixes for the installer. In my case a firmware fix provided as a forth file and running mkzimage to create a bootable kernel image at the end of installation. Earlier SuSE releases did not check for a signature, it was added quite late in the 11.1 development cycle. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Tue, 16 Dec 2008, Peter Czanik wrote:
Martin Schlander írta:
I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash
I think this is what you need: http://en.opensuse.org/Secure_Installation_Sources
Does it mean, that if I want to sign my DUD, then I also need to provide a modified initrd?
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'. Steffen -- Der frühe Wirt holt sich den Wurm. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
Steffen Winterfeldt írta:
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.
You are not authorized to access bug #435685. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, 7 Jan 2009, Peter Czanik wrote:
Steffen Winterfeldt írta:
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.
You are not authorized to access bug #435685.
That's not true. Just tried bugzilla without login and I can read the bug. Steffen -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Jan 7, 2009 at 10:32 AM, Steffen Winterfeldt
On Wed, 7 Jan 2009, Peter Czanik wrote:
Steffen Winterfeldt írta:
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.
You are not authorized to access bug #435685.
That's not true. Just tried bugzilla without login and I can read the bug.
I saw it here. It's not very interesting or informative :D
I'm not too keen on putting extra things in the initrd - since we use
a rpm-md package format here internally I wondered if I could just put
driverupdate in that repository somehow and then fix control.xml to
look at our custom repository (just new kernels + tools).
I have a few qualms;
1) in the instructions (Secure Installation Sources) the example
script uses a $keyid variable. Where on earth do I get that keyid
variable? I'm not that familiar with the ins and outs of gpg.
2) createrepo -v does not even look at my driverupdate file in the
root and complains that it is not a package. None of the
inst-source-utils manage to do anything with it either. What is the
CORRECT way to build a rpm-md repository with
a) packages built by us, for our own internal use and for user use
b) a driverupdate that will hopefully be checked by the automated
installation process (i.e. named driverupdate and in a special place
on the repo)?
How does for instance the SuSE updates repository get built, at least
what can you tell us about it that wouldn't compromise some kind of
security policy? :D
I have a bunch of questions about kernels too but it should be for the
openSUSE-kernel mailing list, which I seem to have been magically
unsubscribed from or at least never received a mail after the first
day..? :(
--
Matt Sealey
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2009-01-07 at 11:05 -0600, Matt Sealey wrote:
I have a bunch of questions about kernels too but it should be for the openSUSE-kernel mailing list, which I seem to have been magically unsubscribed from or at least never received a mail after the first day..? :(
You can browse the web archive, and see if there have been posts you have lost. And if you have, you can download an mbox archive of all posts of any month. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkllG4MACgkQtTMYHG2NR9WEoQCfSnv9ELeD2HEec79kIzC7GsnC rYsAmwdpLe2yo3tJsPLbcTdrKF2dbEoX =U6pL -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Wed, Jan 7, 2009 at 3:15 PM, Carlos E. R.
On Wednesday, 2009-01-07 at 11:05 -0600, Matt Sealey wrote:
I have a bunch of questions about kernels too but it should be for the openSUSE-kernel mailing list, which I seem to have been magically unsubscribed from or at least never received a mail after the first day..? :(
You can browse the web archive, and see if there have been posts you have lost. And if you have, you can download an mbox archive of all posts of any month.
Weird.. it turns out there were no messages in December and mine is
the first in January.
Is opensuse-kernel dead?
--
Matt Sealey
On 1/7/2009 at 5:32 PM, Steffen Winterfeldt
wrote: On Wed, 7 Jan 2009, Peter Czanik wrote: Steffen Winterfeldt írta:
Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.
You are not authorized to access bug #435685.
That's not true. Just tried bugzilla without login and I can read the bug.
What Peter probably meant is that 'we are not authorized to access this bug' It's a non public bug. The text was copied from the website and is purely a quote of the error message. 'you' did not reference to you as a person. Dominique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
On Thursday 08 January 2009 08:55:50 Dominique Leuenberger wrote:
What Peter probably meant is that 'we are not authorized to access this bug' It's a non public bug.
It is a public bug, I just checked bug 435685. Please check again! Andreas -- Andreas Jaeger, Director Platform / openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126
Hello, Andreas Jaeger írta:
On Thursday 08 January 2009 08:55:50 Dominique Leuenberger wrote:
What Peter probably meant is that 'we are not authorized to access this bug' It's a non public bug.
It is a public bug, I just checked bug 435685. Please check again!
Yes, I can read it now, but got the quoted message when first checked yesterday. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-01-08 at 08:58 +0100, Andreas Jaeger wrote:
It is a public bug, I just checked bug 435685. Please check again!
If you check the activity log, the "novell only" flag was removed yesterday. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkll908ACgkQtTMYHG2NR9ViYwCfWbBZ0xzysw4IRqwaWMtOR3AL 1hIAoIl0YEMSfCNJreRba0wlk1cwscVD =F+aP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org
participants (7)
-
Andreas Jaeger
-
Carlos E. R.
-
Dominique Leuenberger
-
Martin Schlander
-
Matt Sealey
-
Peter Czanik
-
Steffen Winterfeldt