Hello, Martin Schlander írta:

...

I provide a driver update for EFIKA PPC users. Recently a new feature was introduced to the installer, which now checks for an .asc file for the dud. How can I create one? Using 'insecure=1' is a bit annoying workaround, just as getting questioned about it during installation... The file I'd like to sign is http://genesi.hu/dud.11.1.squash

I think this is what you need: http://en.opensuse.org/Secure_Installation_Sources

Does it mean, that if I want to sign my DUD, then I also need to provide a modified initrd? Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Hello, Martin Schlander írta:

In all honesty I don't know what I'm talking about here - I just assumed you used a repomd/yum repository for your thingy, and all you needed to do was gpg-sign the repomd.xml and include your public key.

A driver update is not a repository, but a single squashfs file containing some fixes for the installer. In my case a firmware fix provided as a forth file and running mkzimage to create a bootable kernel image at the end of installation. Earlier SuSE releases did not check for a signature, it was added quite late in the 11.1 development cycle. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

Steffen Winterfeldt írta:

Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.

You are not authorized to access bug #435685. Bye, CzP -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Wed, Jan 7, 2009 at 10:32 AM, Steffen Winterfeldt wrote:

On Wed, 7 Jan 2009, Peter Czanik wrote:

...

Steffen Winterfeldt írta:

...

Basically, yes. You have to add your key to '/installkey.gpg' in the initrd. It was a requirement from our security guys that all files need to be checked (bug 435685). As a consequence either your key is known in the initrd or you explicitly turn off checking with 'insecure=1'.

You are not authorized to access bug #435685.

That's not true. Just tried bugzilla without login and I can read the bug.

I saw it here. It's not very interesting or informative :D I'm not too keen on putting extra things in the initrd - since we use a rpm-md package format here internally I wondered if I could just put driverupdate in that repository somehow and then fix control.xml to look at our custom repository (just new kernels + tools). I have a few qualms; 1) in the instructions (Secure Installation Sources) the example script uses a $keyid variable. Where on earth do I get that keyid variable? I'm not that familiar with the ins and outs of gpg. 2) createrepo -v does not even look at my driverupdate file in the root and complains that it is not a package. None of the inst-source-utils manage to do anything with it either. What is the CORRECT way to build a rpm-md repository with a) packages built by us, for our own internal use and for user use b) a driverupdate that will hopefully be checked by the automated installation process (i.e. named driverupdate and in a special place on the repo)? How does for instance the SuSE updates repository get built, at least what can you tell us about it that wouldn't compromise some kind of security policy? :D I have a bunch of questions about kernels too but it should be for the openSUSE-kernel mailing list, which I seem to have been magically unsubscribed from or at least never received a mail after the first day..? :( -- Matt Sealey Genesi, Manager, Developer Relations

On Wed, Jan 7, 2009 at 3:15 PM, Carlos E. R. wrote:

On Wednesday, 2009-01-07 at 11:05 -0600, Matt Sealey wrote:

...

I have a bunch of questions about kernels too but it should be for the openSUSE-kernel mailing list, which I seem to have been magically unsubscribed from or at least never received a mail after the first day..? :(

You can browse the web archive, and see if there have been posts you have lost. And if you have, you can download an mbox archive of all posts of any month.

Weird.. it turns out there were no messages in December and mine is the first in January. Is opensuse-kernel dead? -- Matt Sealey Genesi, Manager, Developer Relations -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org

On Thursday 08 January 2009 08:55:50 Dominique Leuenberger wrote:

What Peter probably meant is that 'we are not authorized to access this bug' It's a non public bug.

It is a public bug, I just checked bug 435685. Please check again! Andreas -- Andreas Jaeger, Director Platform / openSUSE, aj@suse.de SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) Maxfeldstr. 5, 90409 Nürnberg, Germany GPG fingerprint = 93A3 365E CE47 B889 DF7F FED1 389A 563C C272 A126

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thursday, 2009-01-08 at 08:58 +0100, Andreas Jaeger wrote:

It is a public bug, I just checked bug 435685. Please check again!

If you check the activity log, the "novell only" flag was removed yesterday. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkll908ACgkQtTMYHG2NR9ViYwCfWbBZ0xzysw4IRqwaWMtOR3AL 1hIAoIl0YEMSfCNJreRba0wlk1cwscVD =F+aP -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-factory+help@opensuse.org