[Bug 1184808] New: AUDIT-0: Shipping keys via repos
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 Bug ID: 1184808 Summary: AUDIT-0: Shipping keys via repos Classification: openSUSE Product: openSUSE Distribution Version: Leap 15.3 Hardware: Other OS: Other Status: NEW Severity: Major Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: jsegitz@suse.com QA Contact: qa-bugs@suse.de CC: d_werner@gmx.net, guillaume.gardet@arm.com, lubos.kocman@suse.com, mlin@suse.com, ro@suse.de Depends on: 1184326 Found By: --- Blocker: --- +++ This bug was initially created as a clone of Bug #1184326 +++ Details are in the original bug. copy paste from Michael: I'd be happy if we now catch the momentum and get a solution for this quite common issue (a repo that want's to ship additional keys). It would IMO be a good step forward especially for 3rd parties, if they are enabled to ship their keys in way zypp recognizes them when the repo is added. This is an issue for Leap 15.3 because of the SLES key, but they want a more general mechanism. As this is a very sensitive topic we should review this first -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c16 --- Comment #16 from Michael Andres <ma@suse.com> --- (In reply to Matthias Gerstner from comment #15)
The text in comment 13 goes into the right direction. An additional URL reference to where SUSE specific keys can be verified would be perfect.
If there is such an URL, please let me know. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c18 --- Comment #18 from Michael Andres <ma@suse.com> --- (In reply to Matthias Gerstner from comment #17)
Sadly it looks like there is no up to date suitable public URL existing that documents our keys. Introducing one will probably take a longer time and the question also is who would be responsible for creating it and maintaining it.
I don't know who is the MASTER of our keys (but I hope there is one). IMO the one/team who owns a private keys should somehow track it on a public page. Don't we SUSE/openSUSE have something like https://getfedora.org/security/ ? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c19 --- Comment #19 from Michael Andres <ma@suse.com> --- (Don't know if openSUSE wiki would be an appropriate place for the SLES stuff) -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c20 --- Comment #20 from Dirk Weber <d_werner@gmx.net> --- Just a suggestion - I do not know if this only makes it more complicated: PGP/gpg is about the web of trust. Would it be possible and make sense that the openSUSE package signing key signs(=trusts) the SUSE package signing key and then the SUSE key would automatically be imported as trusted on openSUSE? -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c21 --- Comment #21 from Michael Andres <ma@suse.com> --- (In reply to Dirk Weber from comment #20)
Would it be possible and make sense that the openSUSE package signing key signs(=trusts) the SUSE package signing key and then the SUSE key would automatically be imported as trusted on openSUSE?
Basically yes, but not as 'quick' fix now. We're already working on a 'zypper keys' command to support viewing and managing the trusted keys. Once we have a better tool to inspect and manipulate the keys, we can think about automatism. Otherwise unwanted results or miss behavior are hard to detect and fix. Whatever automatism we offer it needs to be configurable, and the sane default is 'none'. The request/ideas so far contain a 'configurable list of fingerprints that may be autoimported'. A transitive trust, like you suggested also fits in there. But IMO one wants to define which keys are allowed to auto import keys by signing them. -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c24 Michael Andres <ma@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(ro@suse.com) --- Comment #24 from Michael Andres <ma@suse.com> --- (In reply to Ruediger Oertel from comment #5)
if we want to add this tell me. to keep the thought: gpg --with-colons --import-options show-only --import --fingerprint < gpg-pubkey-b04a477b-5d2d7480 2>/dev/null | grep ^fpr | cut -d: -f10
@Rudi: It won't hurt to add this, even if the full fingerprint is optional. gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284 -- You are receiving this mail because: You are on the CC list for the bug.
![](https://seccdn.libravatar.org/avatar/a895f78a81a109471893519443e4d933.jpg?s=120&d=mm&r=g)
http://bugzilla.opensuse.org/show_bug.cgi?id=1184808 http://bugzilla.opensuse.org/show_bug.cgi?id=1184808#c25 Ruediger Oertel <ro@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags|needinfo?(ro@suse.com) | --- Comment #25 from Ruediger Oertel <ro@suse.com> --- done, submitted to factory/tumbleweed and to leap-15.3 -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com