Mailinglist Archive: opensuse (1468 mails)

< Previous Next >
Re: [opensuse] Re: gpg-pubkeys missing 'Distribution'
  • From: Anders Johansson <ajohansson@xxxxxxx>
  • Date: Mon, 8 Jun 2009 00:32:42 +0200
  • Message-id: <200906080032.42335.ajohansson@xxxxxxx>
On Monday 08 June 2009 00:05:23 Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key
(build@xxxxxxx) and the security key (security@xxxxxxx)

They are used for all distributions, until they expire, at which
time they get an update. The current one will expire in May 2010,
if I read correctly

The other keys you have could be various other repository keys.
Each build service repository has its own key

----
So any mirror would have it's own key?

No, the mirrors have the same files (and consequently the same keys) as the
original. I mean each "original" repository.

, packman has its key and so on.

---
packman? is that the build service? or???

No, the build service is at http://download.opensuse.org/repositories.

packman is separate. It is at http://packman.links2linux.org

You can find out what each key is for with "rpm -qi". For example,
here is the output for the suse security key:

---
Not helpful in my case. The summaries and Dates of my keys don't
tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007,
and 4 keys dated Jun 7, 2009.

The 11 summary consist of 1 of 6 output strings:
COUNT STRING
----- ------
3 gpg(Novell Provo Build (Contact security@xxxxxxxxxx) \
<novell-provo-build@xxxxxxxxxx>)

This is the equivalent of the suse build key for Novell OES packages.

1 gpg(Open Enterprise Server <support@xxxxxxxxxx>)

Embarrassingly enough, I'm not entirely sure what this key is used for.

4 gpg(SuSE Package Signing Key <build@xxxxxxx>)
1 gpg(SuSE Security Team <security@xxxxxxx>)

Mentioned earlier, these are the standard suse keys

1 gpg(openSUSE Project Signing Key <opensuse@xxxxxxxxxxxx>)

An opensuse key. Again, not really sure what it's used for

1 gpg(openSUSE:Factory OBS Project \
<openSUSE:Factory@xxxxxxxxxxxxxxxxxx>)

This is a repository key, I mentioned these before. This happens to be for
opensuse Factory (the repository of what will one day become the next opensuse
version).

-----

I see 2 summaries indicating "security@",but the first (with 3 separate
keys having the same summary line), is confusing, as it gives a 2ndary
email addr: "novell-provo-build@". So is that a build or a security
key? The domains are different as well, "@novell.com|@suse.de".

Then I have 4 separate keys for "build@xxxxxxx" -- should I only have one?

Normally you would. My guess is that the other ones are older and expired.

Isn't it possible if a mirror site were hacked, someone could also
install their own hacked 'gpg' key, with the same summary?
Theoretically, that is...not that it is likely to happen...

Sure it's possible. The keys are just files in the directory structure. But
when the system wants to install a key, it will never do so automatically. It
always requests confirmation from you (the exception is when you're performing
the original install, or a version upgrade). When you get such a question, you
shouldn't just blindly click "yes - import the key and trust it" without doing
something to verify that the key is indeed correct.

The normal package managers will refuse to install packages with bad
signatures (meaning packages not signed with keys already imported by you).
This means that a rogue key can't be installed by a non-trusted package (at
least not without a manual override by you)

If you come across a third party package manager which ignores key violations,
never use it

Anders
--
To unsubscribe, e-mail: opensuse+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse+help@xxxxxxxxxxxx

< Previous Next >
Follow Ups