We would like to increase the security level when using repository from the OBS by making the repository ownerships more visible. This is hardly possible atm (but not impossible) since we use the same gpg key for all projects. Here are our ideas (together with our security team), any input is appreciated. Requirements: * Make it obvious to the user that adding a repository from another project needs again to trust in it (because different people will have write access there). The installer should point the user to this and ask for his trust on it. * It should work with existing distributions best as possible, of course esp. with openSUSE distris and YaST installer. But of course it should work as good as possible with any other package manager. What we plan to do is * Each project will get an own gpg key, which is used to sign the packages and repository meta files. * The new generated public key gets signed with a global OBS key, so people can check, if the the repository got build indeed for the OBS (this means you can trust that the binaries come from the sources hosted on OBS). * We do not sign any repository anymore with the global OBS key, but generate a key for each existing project Known problems: * People who currently use repositories from OBS will need to import the new gpg key(s). Otherwise the package managers will report errors. Possible future enhancements: * YaST should show which keys signed a pubkey about to get imported. * Allow upload of privates to be used to sign repos ? These keys *must not* get signed by the global OBS key, since they can be used elsewhere. * Does it make sense allow to reuse one key for multiple projects ? Does anyone want to have this at all ? Implementation: * the signing instance stays to be read - only. * The global OBS key remains to be on the signing instance only. * Generated private keys get stored encrypted (with OBS global key) on general storage server to keep signing host an instance without needed backup. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de ------------------------------------------------------- -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org