Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
Re: [opensuse] gpg-pubkeys missing 'Distribution'
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Mon, 8 Jun 2009 00:14:33 +0200
  • Message-id: <20090607221432.GA6806@xxxxxxx>
On Sun, Jun 07, 2009 at 02:08:02PM -0700, Linda Walsh wrote:

I was looking at the distro's and 'arch's for packages installed on one of
my systems. The system started out as a '32bit', i586-based system, but
was upgraded to x86_64 later in life.

To check that I have no old-arch packages, I printed out dist's and arch's
using:

rpm -qa --qf '%-25{distribution} (%{arch}) : %{n}-%{V}-%{R}\n'

Only one package showed had a 'binary' (not 'noarch') arch "mismatch" --
a package left over from 10.2:
openSUSE 10.2 (i686) (i686) : db-4.4.20-16

No...that's not a 'double-arch' printing -- it's a pre-11.1 "bug" where
some packages contained an 'arch' string embedded in the distribution name.

Most the 'arch's agree (sorta) and make no diff, like:

openSUSE 10.2 (X86-64) (x86_64) : nttcp-1.47-151
openSUSE 10.3 (X86-64) (x86_64) : apcupsd-3.14.1-33
openSUSE 11.0 (X86-64) (x86_64) : acpiw-0.75-574.1

(i.e. 10.2, 10.3 and 11.0 had packages with an 'almost correct', but
'bogus' 'arch' embedded in the distribution name ("X86-64" != "x86_64").

A few had mismatching, confused values, mostly fonts/cursors:
openSUSE 10.2 (i586) (noarch) : agfa-fonts-2003.03.19-51
openSUSE 11.0 (i586) (noarch) : Crystalcursors-0.5-197.1
openSUSE 11.0 (i586) (noarch) : bitstream-vera-1.10-278.1

Some script-lang packages, like:
openSUSE 10.3 (i586) (noarch) : yast2-devtools-2.15.9-6
openSUSE 11.0 (i586) (noarch) : bootchart-0.9-221.1

But this is a weird one (as it is inconsistent, but better than
the others that it is inconsistent with):
openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1

It's a build key -- but is it only for signing i586 packages? Not sure
what was meant, but among "keys", it's the only one with ANY sort of
indication of what "Distribution" it was 'for', or was valid for signing.

The other 'gpg' keys, all have NO dist and, using the above mentioned
rpm query, print out as:
(none) ((none)) : gpg-pubkey-0dfb3188-41ed929b
(none) ((none)) : gpg-pubkey-307e3d54-44201d5d
(none) ((none)) : gpg-pubkey-307e3d54-481f30aa
(none) ((none)) : gpg-pubkey-3d25d3d9-36e12d04
(none) ((none)) : gpg-pubkey-3dbdc284-49144c3f
(none) ((none)) : gpg-pubkey-56b4177a-47965b33
(none) ((none)) : gpg-pubkey-7e2e3b05-44748aba
(none) ((none)) : gpg-pubkey-7e2e3b05-4816488f
(none) ((none)) : gpg-pubkey-9c800aca-40d8063e
(none) ((none)) : gpg-pubkey-9c800aca-481f343a
(none) ((none)) : gpg-pubkey-a1912208-446a0899

--------

So how do I tell what distro's the keys are good for signing?
How do I tell which are for old 'distro's, that I no longer want
to have enabled for "signed" installing? I.e. I might like rpm tell me
that 'old-distro rpms', aren't signed with the "latest", released,
Distro key(s). Why would I have so many keys installed? I think
the first distribution installed on here was 10.2(i586), upgraded
'arch' (w/10.2(x86_64), 10.3, 11.0 and now, 11.1.

Theoretically, one could have 1 signing key/distribution (1 key being good
for all archs), so I could have as few as 4 keys if things were 'optimal',
or 5 keys if they signed different binary archs separately.
But why 11 keys? Maybe oss vs. non-oss packages? That would yield
8 or 10 (presuming I had non-oss packages installed from each of my
4 distros (or 5 binary distros). Whatever...

The point is -- how can one tell if they keys don't say what Distribution
they were shipped with?

gpg-pubkey are virtual RPM objects (GPG keys) already imported.

They lack most RPM information. Once they are imported to RPM, they stay.

It's pointless, I believe to attempt to go back and issue patches for
all the pre-11.2 signing key packages so the distro-names would be
included, but would it be a good idea (and possible) to include
the distributions in 11.2 (and beyond?)

The ones used by openSUSE itself are contained in the (real)
openSUSE-build-key (before 11.1 it was suse-build-key) RPM.
They also live in the /usr/lib/rpm/gnupg/pubring.gpg keyring file.

/usr/lib/rpm/gnupg/pubring.gpg
------------------------------
pub 2048R/3D25D3D9 1999-03-06
uid SuSE Security Team <security@xxxxxxx>

pub 1024D/0DFB3188 2005-01-18
uid Open Enterprise Server <support@xxxxxxxxxx>

pub 4096R/A1912208 2006-05-16
uid Novell Provo Build (Contact security@xxxxxxxxxx)
<novell-provo-build@xxxxxxxxxx>

pub 1024R/307E3D54 2006-03-21 [verfällt: 2010-05-05]
uid SuSE Package Signing Key <build@xxxxxxx>

pub 1024D/7E2E3B05 2006-05-24 [verfällt: 2010-05-24]
uid Novell Provo Build (Contact security@xxxxxxxxxx)
<novell-provo-build@xxxxxxxxxx>

pub 1024D/9C800ACA 2000-10-19 [verfällt: 2010-05-05]
uid SuSE Package Signing Key <build@xxxxxxx>
sub 2048g/8495160C 2000-10-19 [verfällt: 2010-05-05]

pub 1024D/56B4177A 2008-01-22 [verfällt: 2010-04-01]
uid openSUSE:Factory OBS Project
<openSUSE:Factory@xxxxxxxxxxxxxxxxxx>

pub 2048R/3DBDC284 2008-11-07 [verfällt: 2010-11-07]
uid openSUSE Project Signing Key <opensuse@xxxxxxxxxxxx>

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
References