Mailinglist Archive: opensuse-buildservice (349 mails)

< Previous Next >
Re: [opensuse-buildservice] RPMs and detached signatures!
  • From: Michael Schroeder <mls@xxxxxxx>
  • Date: Mon, 5 Nov 2007 15:29:14 +0100
  • Message-id: <20071105142914.GC27359@xxxxxxx>
On Wed, Oct 31, 2007 at 06:30:51PM -0500, Paul Elliott wrote:
Where is it documented how the data in a RPM is laid out?

A rpm consists of four parts:
1) rpm lead, i.e. magic and the like (96 bytes)
2) signature header, containing all signatures
3) package header, i.e. name, version, dependencies, ...
4) payload, i.e. compressed cpio archive

data is signed in a signed RPM?

Depends on the signature, either package header + payload or just
the package header. rpm --addsign normally adds two signatures, one
for just the package header and one for both the header and the

Using these utilities, the buildservice could implement the following
procedure for developers that want to sign their rpms:

Developers download their rpm and use rpmdetachsig to create a detached

You actually just need the header/header+payload hash for signing
purposes, there's no need to download the complete rpm.

They then upload the detached signature back to the build
service. The Build service adds the developer's detached signature to
the published rpm (with rpmadddetachedsig).

Hmm, I'm not sure that the rpms should be published at all if they
don't have their right signature.

The build service also
adds its own signature to the rpm to indicate that the rpm was indeed
built with the data on the build service.

This procedure (if possible) has the following advantages:

The developers never have to trust the build service with their
secret keys, because the signature creation is done on the developer's
own computer. This is important because many people are unwilling
to trust anyone else with their secret key--properly so.

The Build service knows that the data it publishes was built on the
build server! It accepted the detached signature from the developer
but the rpm on the build service never left the custody of the
build service!

Yep, that's more or less what we're planning to do.

(And it's also how the 'sign' tool works that is distributed with
the build service code, it calculates the hash and sends it to the
sign server. The sign server sends back the signature and the sign
utility puts the signature in the rpm.)


Michael Schroeder mls@xxxxxxx
SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages