Mailinglist Archive: opensuse-buildservice (124 mails)

< Previous Next >
Re: [opensuse-buildservice] Downloading (signing keys at least) from OBS via HTTPS?
On Donnerstag, 11. August 2016, 19:27:02 CEST wrote Martin Koegler:
On Thu, Aug 11, 2016 at 11:58:24AM -0500, Archie Cobbs wrote:
On Thu, Aug 11, 2016 at 11:49 AM, Per Jessen <per@xxxxxxxxxxxx> wrote:
True.. but just to be clear, we're talking about a specific (but
common) scenario, which is when a user downloads the signing key via
zypper ref, automatically answering "Trust Always?" with yes.

In this scenario what we have today is delivery of that key via HTTP.
I'm suggesting we change this to HTTPS, which is much more secure.

That key isn't confidential (or is it?), so what might be gained by
enabling https ?

Delivery of the key is vulnerable to a man-in-the-middle attack when
using only HTTP.

Are the signing keys somewhere shown in the WebUI?

Not yet, but there is an open feature for it.

You can get them using

osc signkey $project

but you need an account for that.


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284
(AG Nürnberg)

Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >