On 2012-07-18 07:28:03 +0200, Adrian Schröter wrote:
Am Mittwoch, 18. Juli 2012, 00:10:20 schrieb Marcus Hüwe:
On 2012-07-17 23:14:59 +0200, Adrian Schröter wrote:
<SNIP>
Where do you see a security problem?
Well it's rather an issue with the current workflow: - ask user if he "trusts" the project(s) - download the pubkey(s) from the api - check gpg signature of the packages
The user doesn't verify if the received pubkey is a "correct"/expected key. That is the performed gpg check is just some kind of integrity check (we do not verify authenticity - just that the package was signed with "some" key (which is delivered by the api)).
Right, but the api is verified via the SSL certificate. So you trust the server that it hands you the right key for the project.
With the same argument we can trust a "simple" hash value too:)
IMHO we can achieve the same by using some hash value (unless we make the workflow from above more complex). The advantage is that this works for all binarytypes (rpm, deb, arch).
Yes, thinkable with some strong SHA key. But it will fail, when it downloads noarch packages from mirrors (just one noarch package is there and thank to murphy always the one from the other architecture). Also packages from Export filters will be a problem then.
Ah good point - I didn't think about this:) As a fallback osc could fetch a package from the api if hash of the downloaded package doesn't match but this is rather ugly... I agree that a signature helps in this case:) Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org