Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
[opensuse] Re: gpg-pubkeys missing 'Distribution'
  • From: Linda Walsh <suse@xxxxxxxxx>
  • Date: Sun, 07 Jun 2009 15:05:23 -0700
  • Message-id: <4A2C39A3.9000603@xxxxxxxxx>
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key
(build@xxxxxxx) and the security key (security@xxxxxxx)

They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly

The other keys you have could be various other repository keys. Each build service repository has its own key
So any mirror would have it's own key?

, packman has its key and so on.
packman? is that the build service? or???

You can find out what each key is for with "rpm -qi". For example, here is the output for the suse security key:
Not helpful in my case. The summaries and Dates of my keys don't
tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007,
and 4 keys dated Jun 7, 2009.

The 11 summary consist of 1 of 6 output strings:
----- ------
3 gpg(Novell Provo Build (Contact security@xxxxxxxxxx) \
1 gpg(Open Enterprise Server <support@xxxxxxxxxx>)
4 gpg(SuSE Package Signing Key <build@xxxxxxx>)
1 gpg(SuSE Security Team <security@xxxxxxx>)
1 gpg(openSUSE Project Signing Key <opensuse@xxxxxxxxxxxx>)
1 gpg(openSUSE:Factory OBS Project \

I see 2 summaries indicating "security@",but the first (with 3 separate keys having the same summary line), is confusing, as it gives a 2ndary
email addr: "novell-provo-build@". So is that a build or a security
key? The domains are different as well, "|".

Then I have 4 separate keys for "build@xxxxxxx" -- should I only have one?

Then one for support, opensuse (perhaps pre-factory work?), but then
another "build" key: "openSUSE:Factory@xxxxxxxxxxxxxxxxxx".

So where would I have installed the other keys from? (besides
build@xxxxxxx & security@xxxxxxx)?

And why do I have multiple copies of the <build|security>
and build@xxxxxxx keys? If they are from mirror sites, would it be
a major problem if the summary or build-host indicated the host it
came from (FQDN, not localhost)"?

Having keys is excellent, but if I have duplicates and don't know
one from another or where they came from, I can't really know what
packages were signed against what key (all I likely would know is that
they installed with a one of the above keys, but that doesnt' tell me
if one of those 'build' keys was from: ""...
or where...?

Isn't it possible if a mirror site were hacked, someone could also
install their own hacked 'gpg' key, with the same summary?
Theoretically, that is...not that it is likely to happen...
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >