[opensuse-packaging] why are we signing RPMs
Hi, when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure. But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification. Are there tools, processes or people using those sigs on individual rpms? The background is, that when trying to reproduce a build to verify that it is bit-by-bit identical to what was published before, we can only compare parts of it, because the signature and its timestamp will always be different. We could try to strip such information that is known-to-vary but it also has some appeal to get completely identical results. Ciao Bernhard M. -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
Hi,
when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs. You can also check against the digital signature when verifying packages. Lastly, people can always manually download and install packages without adding the repositories. Cheers Mathias -- gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
Hi,
when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs. You can also check against the digital signature when verifying packages. Lastly, people can always manually download and install packages without adding the repositories.
and osc does. It downloads rpm which may not even pubished at that point of time and validates it (at least when not building in a safe env like kvm) -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
Hi Am Montag, 28. November 2016, 09:41:13 schrieb Adrian Schröter:
On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
Hi,
when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we sign repository metadata using the same keys and that metadata contains hashes of files, so those are already protected against malicious modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs. You can also check against the digital signature when verifying packages. Lastly, people can always manually download and install packages without adding the repositories.
and osc does. It downloads rpm which may not even pubished at that point of time and validates it (at least when not building in a safe env like kvm)
and newer libzypp/zypper/etc. is using it in case the metadata are not signed. -- Regards Michael Calmer -------------------------------------------------------------------------- Michael Calmer SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg T: +49 (0) 911 74053 0 F: +49 (0) 911 74053575 - e-mail: Michael.Calmer@suse.com -------------------------------------------------------------------------- SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
On Monday 2016-11-28 09:34, Mathias Homann wrote:
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
when building RPMs in OBS, each of them is signed with a private key that is kept somewhere in the OBS infrastructure. But it occurred to me, that this might not actually be needed because we sign repository metadata
Lastly, people can always manually download and install packages without adding the repositories.
This is where I need to point out the unsafety of the Debian package format :-) -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org
participants (5)
-
Adrian Schröter -
Bernhard M. Wiedemann -
Jan Engelhardt -
Mathias Homann -
Michael Calmer