On Friday, March 14, 2014 08:48:20 Adrian Schröter wrote:
On Freitag, 14. März 2014, 15:41:34 wrote Jason:
On Friday, March 14, 2014 08:17:23 Marcus Meissner wrote: ...
The trust concept we currently use does not to include the RPM embedded GPG signatures itself, although they are signed by the same key as repomd.xml usually.
Ciao, Marcus
This actually leaves to possibility of server-side compromise? If attacker signs with his key, or no key, package will be installed?
not with zypp at least, since you need to re-generate and re-sign the rpm-md meta data (or susetag style metadata for product repos).
Fail at comprehension:) Thank you. FWIW, I'd prefer for zypper to: 1. Halt with a warning when digest check fails (ie no options to be dealt with) 2. Do not install package if key is not matching. I do understand the process more or less now, thank you gentlemen for explaining it to me so I see how this is is the _least_ possible issue. And as for server side, use separate keys for package signing and repo signing. In case the repo key is compromised (again, very unlikely) you'd have to consider the whole repo to be compromised (unless you find in the logs what packages have changed, but it would at least stop the packages from installing) I'm probably off by a margin so pardon my ignorance. Kind regards, Jason -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org