Mailinglist Archive: opensuse-factory (845 mails)

["Carlos E. R." <robin.listas@xxxxxxxxxxxxxx>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1



The Monday 2008-05-05 at 08:53 +0200, Stefan Dirsch wrote:

> > > Where does one find the 0x63e11d16 public key?
> > It's your first time with build service repos?
> >
> > The key is here:
> > http://download.opensuse.org/repositories/home:/coolo/openSUSE_10.3/repodata/repomd.xml.key
>
> I suggest to submit the key to pgp.mit.edu, since it's not a trivial
> task at all to figure out where to find the key. See also Bug #375087.

Having the key stored in the same place as the file it protects is 
useless, IMO.

If some attacker manages to subvert the protected file and signs 
it with another key, the attacker will have no problem at all to also 
change the public key to the new one, and the downloaded file will check 
as correct, when it has been perverted.

- -- 
Cheers,
       Carlos E. R.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4-svn0 (GNU/Linux)

iD8DBQFIHt2qtTMYHG2NR9URAguOAJwIzkiOzXx1p69c7jk0+fwZjoMQeQCfT7tM
sDLxprO3nA7o7gSxxrk5CJg=
=JuoL
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-factory+help@xxxxxxxxxxxx