Hallo. I wrote a simple tool that provides build time GPG signature verification. It could prevent need for tarball contents verification and still being safe. Submit reviewers will just review changes in the spec files and patches, and especially verifies, that GPG verification command is not removed without rationale. How it is done: gpg-upstream-keys package collects signatures valid for verification of particular packages sources: gpg-upstream-key-*.key: Contains approved signing keys. gpg-upstream-keys.packages: Defines mapping package -> signing keys There is a tool for simple key extraction and verification and macro for simple integration to spec files. Prepare new signing key before first use: gpg-upstream-keys-tool --verbose [--package=PACKAGE] --prepare ID It will tell you how to edit gpg-upstream-keys.packages and gpg-upstream-keys.spec. Usage in packages would be straightforward: BuildRequires: gpg-upstream-keys %prep %gpg_verify %{S:1} %setup -q Note: %{S:1} is the signature, not the tarball. Here is a proof of concept and two upstream-signed packages: https://build.opensuse.org/project/show?project=home%3Asbrabec%3Abranches%3A... Simple man page is added. Comments are welcome. Proposed policy: Package updates will be straightforward, as long as the same signing key is used. Reviewers should make special attention to submit that contain "-%gpg_verify" in the changes log. Any addition to gpg-upstream-keys should be carefully verified. Any change in gpg-upstream-keys would need to be double-verified. Problems: How to solve key expiration? Probably accept expired keys to prevent unexpected future failures. How to solve key expiration extension? Probably provide a way to re-import keys by trusted user. How to solve key revocation? Probably extend the tool to not accept revoked keys. But later it is a complicated task. Not only that the keys package would need update, but also all packages that contain revoked signatures would need update, otherwise the build fails. On the other hand, keeping the key in the ring is a security risk: The previous version signature before revocation time may be OK, but next version may be malicious. (And GPG does not implement trusted time stamps.) I did not found a way, how to prevent following warning: gpg: WARNING: Using untrusted key! (I do not want to use web of trust, but instead of it fully trust all keys in the locally stored read-only keyring.) -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-packaging+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-packaging+owner@opensuse.org