https://bugzilla.novell.com/show_bug.cgi?id=381731 User meissner@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c1 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de AssignedTo|security-team@suse.de |coolo@novell.com --- Comment #1 from Marcus Meissner 2008-04-21 02:25:19 MST --- -> coolo -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User ro@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c3 Ruediger Oertel changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |lrupp@novell.com, mrueckert@novell.com --- Comment #3 from Ruediger Oertel 2008-04-21 09:38:38 MST --- expanding CC list, maybe an extension to make_master_cd ... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User suse-beta@cboltz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c7 Christian Boltz changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |suse-beta@cboltz.de --- Comment #7 from Christian Boltz 2008-04-22 14:37:32 MST --- (In reply to comment #4 from Stephan Kulow)

I think if we offer something like that, it needs to be done for deltas, live cds, etc.

Exactly. I'd even say that there should be a signature for every file on the openSUSE FTP server. (Except for files that already include a signature, like RPMs and repository metadata.)

So I would think twice - the SDB article is easily removed :)

Coolo, the request for having GPG signatures for all ISOs is not because Julian thinks you don't have enough work (at least I think so ;-) - it is to enhance the security. Currently, there are only MD5SUMS files for ISOs, stored in the same directory on the same server as the ISOs. This means that an attacker could upload manipulated ISO files and simply update the MD5SUMS file to make them look valid. GPG signatures would avoid this risk. (Users could even trust downloads from mirror.bundestrojaner.de ;-) BTW: Everything else (RPMs, repos) is already signed, so signing the ISOs is a missing part. And I'm quite sure that the additional workload is ways smaller (my guess: add some lines to the script that also generates the MD5SUMS file) than the work that was needed to implement signed repos ;-) -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c9 --- Comment #9 from Peter Poeml 2008-04-23 03:42:36 MST --- Although that's entirely correct, I would actually prefer individual signatures. It is less clumsy and easier to update because the images can be handled individually. There is one thing that I have in mind for the future with that: the ability of metalinks to embed such signatures. At the moment, only one downlaod client supports this, but I expect that more could do in the future. (See http://groups.google.com/group/metalink-discussion/browse_thread/thread/136e... for details and http://www.metalinker.org/Metalink_3.0_Spec.txt for the metalink spec.) The thing is, it would be trivial for us to include the signatures into the metalinks. (Metalinks include sha1sums already, and adding signatures would be good.) My point is, that any kind of automated checking will be more straightforward to do if the signature is simply a separate file named $foo.asc -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User coolo@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c11 --- Comment #11 from Stephan Kulow 2008-05-14 05:13:08 MST --- For beta2 I created SHA1SUMS and signed it all with my own key - which was very ugly as I did not find a good way to cache the passphrase for a minute ;( -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c13 --- Comment #13 from Peter Poeml 2008-06-14 05:21:04 MDT --- Can we please have something like the following? http://www.apache.org/dist/httpd/ which is * individual detached signatures in .asc files * KEYS file in the same directory It should look like this: % rsync --old-d rsync.apache.org::apache-dist/httpd/ | grep '\(KEYS\|2.2.*.tar.bz2\)' -rw-rw-r-- 324275 2008/06/03 02:55:51 KEYS -rw-rw-r-- 4799055 2008/01/17 15:58:00 httpd-2.2.8.tar.bz2 -rw-rw-r-- 186 2008/01/17 15:57:58 httpd-2.2.8.tar.bz2.asc -rw-rw-r-- 4943462 2008/06/13 15:32:46 httpd-2.2.9.tar.bz2 -rw-rw-r-- 186 2008/06/13 15:32:44 httpd-2.2.9.tar.bz2.asc (Well, there should also be *.md5 files, and they are normally also there; it seems they haven't generated them yet, as the httpd project is in the middle of a new release right now) The reason why I want indididual detached signatures is to allow for automatic verification, which is rather difficult to do with a signed SHA1SUMS file as we have now. I doubt there will be ever be a download client which would implement that. Also, we can include detached signatures into metalinks, and there is already one client which uses them for automatic verification. Please look at the KEYS file (http://www.apache.org/dist/httpd/KEYS), it contains the relevant keys ready for importing, as well as the instructions to do that, and the instructions how to verify the integrity of the files. This is very nice. We can force people to get the KEYS file and .asc files always from the origin site, and not from mirrors, by simply excluding them from our rsync modules, so that they are not mirrored. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User suse-beta@cboltz.de added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c15 --- Comment #15 from Christian Boltz 2008-06-15 10:08:40 MDT --- (In reply to comment #13 from Peter Poeml)

We can force people to get the KEYS file and .asc files always from the origin site, and not from mirrors, by simply excluding them from our rsync modules, so that they are not mirrored.

I'm not sure if this is a good idea - it might cause some confusion ("huh? where are the GPG signatures?") and problems, for example for people downloading from a mirror using rsync or FTP (they will have to start a separate download for the .asc files). OTOH, downloading the .asc files from another server is not a problem as long as people download the keys from a trusted location. If someone really changed the .asc file, gpg will warn about it. You can (and should) exclude the KEYS and .asc files from redirection on download.opensuse.org through. You should also make sure that the keys are signed by some trusted keys (like the security team key) so that users can easily check if the key is the "real" one. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User novell.com-pnt@ladisch.de added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c17 --- Comment #17 from Julian Ladisch 2008-10-07 07:41:31 MDT --- Thank you very much for providing the .asc files! I've just got openSUSE-11.1-Beta2-DVD-i386.iso via Torrent and found md5sum and sha1sum in http://download.opensuse.org/distribution/11.1-Beta2/iso/delta/ in the files MD5SUMS.of.DVDs SHA1SUMS.of.DVDs But I miss MD5SUMS.of.DVDs.asc SHA1SUMS.of.DVDs.asc Thank you again for adding secure signatures to the downloads! -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c19 --- Comment #19 from Peter Poeml 2008-10-13 17:02:37 MDT --- Is there progress on the detached signatures for the iso files? I don't see any yet. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User poeml@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c21 --- Comment #21 from Peter Poeml 2008-10-15 01:26:54 MDT --- On a related note, it would make our life much easier if the .torrent files are placed next to the respective file, and not in a separate subdirectory as it is the case now. I want to avoid hacks for this in the download infrastructure that would restrict the usefulness of our software for other projects. Detached .sha1 files would be appreciated as well, because it would be super-easy for me to add magnet (P2P) links then. But this is of lesser importance for us. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User lrupp@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c24 Lars Vogdt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |NEEDINFO Info Provider| |novell.com-pnt@ladisch.de --- Comment #24 from Lars Vogdt 2008-10-19 12:46:54 MDT --- (In reply to comment #13 from Peter Poeml)

Can we please have something like the following?

http://www.apache.org/dist/httpd/

which is * individual detached signatures in .asc files * KEYS file in the same directory

What about a KEYS file that is just a HowTo like: http://httpd.apache.org/dev/verification.html and contains a link (resp. correct --recv-key option) to download the official public key? If this is ok for everyone: Can someone please write a good HowTo based on the URL above and (at least) the first three paragraphs of http://www.apache.org/dist/httpd/KEYS - so we can delete/enhance the SDB article and place this HowTo in the KEYS file? A first proposal is here: http://en.opensuse.org/Verifying_ISO-Images - please enhance/fix/tell me your opinion. Again: I like to use this text in the "KEYS" file in our download section for ISO images. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=381731 User lrupp@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=381731#c26 Lars Vogdt changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED Info Provider|poeml@novell.com | Resolution| |FIXED --- Comment #26 from Lars Vogdt 2008-10-22 13:27:47 MDT --- Thanks. I'll close this bug as the initial problem is fixed with Beta3. The enhancement of the documentation should be an ongoing process - this is something for the openSUSE wiki ( please enhance http://en.opensuse.org/Verifying_ISO-Images ) - and extending the web of trust is something for the mailinglists and also documentation (how to sign the Build key...). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.