Mailinglist Archive: opensuse-buildservice (266 mails)

< Previous Next >
Re: [opensuse-buildservice] obs-service-gpg-offline
  • From: Adrian Schröter <adrian@xxxxxxx>
  • Date: Tue, 08 Jan 2013 10:11:04 +0100
  • Message-id: <1487131.bFMUM328qf@scherben>
Am Montag, 7. Januar 2013, 17:22:06 schrieb Stanislav Brabec:
I wrote a simple service, which can automatically check PGP signatures
of files using gpg-offline .keyring file:
https://build.opensuse.org/package/show?package=obs-service-gpg-offline&project=home%3Asbrabec

It could be an alternative to %prep checks during the build process
using %gpg-offline macro.

This is a simple version and does not take any arguments. It checks
online for updates, but it does not fail if the signature is not found
in the public servers. Only failure of checks against embedded keyring
will fail. It would need further discussion, what to return if:

- Key server did not respond.
- The key is not found upstream.
- The key was revoked.

Hm, what does a key on a gpg server tell us anyway for the trust of it?
Everybody can upload it and this person does not have necessarly a connection
to the upstream project.

IMHO we should collect validated gpg keys, where we know they are from upstream
and put them either into some generic collection (for large projects like
kernel, KDE,
apache ...)

We should also support to put the gpg key beside the sources. In this way we see
if the key changes on a version update.

Doesn't it also make sense to extend the verify_source service for this task
instead
of adding another one?

But to close with something positive, thanks a lot for spending some work here.
IMHO the lacking validation of our sources is one of biggest problem trust wise
:)

thanks!
adrian

--
Adrian Schroeter
SUSE Linux Products GmbH
email: adrian@xxxxxxx

--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
References