Mailinglist Archive: opensuse-buildservice (166 mails)

< Previous Next >
Re: [opensuse-buildservice] verifiable public keys for repositories
Hello Michael,

On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available
at
http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.

They are only self-signed

A signature can't be self-signed, so are you talking about the
"Release.key" pubkey file that is also in the repository?
Yes, exactly.

(besides an signature by 6B9D6523, openSUSE
Build Service <buildservice@xxxxxxxxxxxx>, which expired in 2008)

We don't put an expiry date in the openSUSE Build Service signature,
so are you talking about the openSUSE Build Service pubkey?
If yes, where did you get it from?
I used hkp://keys.gnupg.net (the same key is also available via
http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )

$ LANG=C gpg --recv-keys 6B9D6523
gpg: requesting key 6B9D6523 from hkp server keys.gnupg.net
gpg: key 6B9D6523: "openSUSE Build Service <buildservice@xxxxxxxxxxxx>" not
changed
gpg: Total number processed: 1
gpg: unchanged: 1
$ LANG=C gpg --list-sigs 6B9D6523
pub 1024D/6B9D6523 2006-05-24 [expired: 2008-05-23]
uid openSUSE Build Service <buildservice@xxxxxxxxxxxx>
sig 3 6B9D6523 2006-05-24 openSUSE Build Service
<buildservice@xxxxxxxxxxxx>

The pubkey are signed by the openSUSE Build Service key, right?
Yes, but at least those I downloaded using the command above wasn't
signed by anyone, so I cannot find a signature path to someone, with
whom I exchanged keys with before.

Regards,
Benedikt Wildenhain
< Previous Next >