[opensuse] Package Key Confusion
I added the 11.1 oss repo to my 11.0 installation and now zypper wants to
know:
Do you want to trust key id B88B2FD43DBDC284, openSUSE Project Signing Key
On Sun, 21 Dec 2008 15:05:17 +0100, you wrote:
* Shouln't the Project Signing Key not be allready installed on my 11.0 and therefore trusted? Or has opensuse exchanged keys from 11.0 to 11.1?
AFAIK the key was changed.
* How do I verify if this is indeed the correct key for the packages? (Searching opensuse.org brings no results, the term "project signing key" is completely unknown)
You ask a public pgp key server like http://pgpkeys.pca.dfn.de/. Enter the key id prefixed with 0x (zero ex), mark 'Show PGP "fingerprints" for keys' and let it search. Or simply follow this URL http://pgpkeys.pca.dfn.de/pks/lookup?search=0xB88B2FD43DBDC284&fingerprint=on&op=index Now you compare the fingerprint the server gives you with the one you postet. Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Philipp Thomas wrote:
On Sun, 21 Dec 2008 15:05:17 +0100, you wrote:
* Shouln't the Project Signing Key not be allready installed on my 11.0 and therefore trusted? Or has opensuse exchanged keys from 11.0 to 11.1?
AFAIK the key was changed.
* How do I verify if this is indeed the correct key for the packages? (Searching opensuse.org brings no results, the term "project signing key" is completely unknown)
You ask a public pgp key server like http://pgpkeys.pca.dfn.de/. Enter the key id prefixed with 0x (zero ex), mark 'Show PGP "fingerprints" for keys' and let it search. Or simply follow this URL http://pgpkeys.pca.dfn.de/pks/lookup?search=0xB88B2FD43DBDC284&fingerprint=on&op=index
Now you compare the fingerprint the server gives you with the one you postet.
And how do we know that the key in the PGP server is the real one from opensuse.org, and not a fake? There is no "web of trust" that way. The IDs should be posted on a non-wiki page, easy to find, and the keys signed with a trusted key. - -- Cheers / Saludos, Carlos E. R. (from 11.1-ex-factory) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org iEYEARECAAYFAklOjnoACgkQU92UU+smfQXhUACeP/5x3yNXuy+rPLNokCDKACi0 xGQAoIdvIa8ky5TxqTIdS6Y2GXiaJ4Qi =yHa2 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, 21 Dec 2008 19:44:10 +0100, you wrote:
And how do we know that the key in the PGP server is the real one from opensuse.org, and not a fake? There is no "web of trust" that way.
You're right, there isn't.
The IDs should be posted on a non-wiki page, easy to find, and the keys signed with a trusted key.
I think it's a very valid request and you should open a bug report in bugzilla marked 'enhancement request' for this (take me into CC as pth@novell.com if you do). Philipp -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2008-12-22 at 11:46 +0100, Philipp Thomas wrote:
The IDs should be posted on a non-wiki page, easy to find, and the keys signed with a trusted key.
I think it's a very valid request and you should open a bug report in bugzilla marked 'enhancement request' for this (take me into CC as pth... if you do).
Done :-) Bug #461957 - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAklQ3HkACgkQtTMYHG2NR9UJ/ACeOn/IaN0n57sDVrUtba/IPYz6 U5sAoJNBMBE8N7eqU5ngE3pGl1F+M8iP =Pl46 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (3)
-
Carlos E. R.
-
Philipp Thomas
-
Volker