Re: [opensuse-buildservice] osc build & sign keys
Adrian Schröter <adrian@suse.de> writes:
Is there an ETA when this is going to be fixed? I depend on it, because I intented to work on the redirector this week... for which I need a functional Apache and Apache:Modules project.
actually, I am not that sure that this should be changed.
How should an external see that this package was not build by this certain project/person ?
I'd rather prefer the additional (aggregated) key to be distributed via this project (aggregating the package). Does the package management support several keys in one repo? S. -- Susanne Oberhauser +49-911-74053-574 SUSE -- a Novell Business OPS Engineering Maxfeldstraße 5 Processes and Infrastructure Nürnberg SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2008-01-25 21:12:45 +0100, Susanne Oberhauser wrote:
Adrian Schröter <adrian@suse.de> writes:
Is there an ETA when this is going to be fixed? I depend on it, because I intented to work on the redirector this week... for which I need a functional Apache and Apache:Modules project.
actually, I am not that sure that this should be changed.
How should an external see that this package was not build by this certain project/person ?
I'd rather prefer the additional (aggregated) key to be distributed via this project (aggregating the package).
Does the package management support several keys in one repo?
rpm does not support multiple sigs on one rpm. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Marcus Rueckert <darix@opensu.se> writes:
On 2008-01-25 21:12:45 +0100, Susanne Oberhauser wrote:
Adrian Schröter <adrian@suse.de> writes:
Is there an ETA when this is going to be fixed? I depend on it, because I intented to work on the redirector this week... for which I need a functional Apache and Apache:Modules project.
actually, I am not that sure that this should be changed.
How should an external see that this package was not build by this certain project/person ?
I'd rather prefer the additional (aggregated) key to be distributed via this project (aggregating the package).
Does the package management support several keys in one repo?
rpm does not support multiple sigs on one rpm.
a) I wouldn't put bets on that (I think it does, maybe buggy on and off, but you can add multiple signatures and installation will succeede if one of the key is in /bin/rpm's keyring) b) I meant multiple keys in the _repo_, not the package, so hard links work: I propose that an aggregated repo not only aggregates the the packages but also hosts all keys used to sign these packages. the project maintainer who does the aggregation claims these packages are ok. Now the Q is: is there a way that the user selects this repo and YaST imports all the keys as trusted for rpms? But hinking through it, alternatively, as rpm does support multiple signatures on the same package, would it be ok if aggregaton adds a blessing to the package and it gets dual signed in both repos? So I think the following would do the trick too: I alternatively propose that aggregation means blessing of a package, so the package will be signed with the original repo's key as well as with the aggregating repo's key. In addition to maintaining 'hardlinkability' I think the semantics are ok: you'd never aggregate a package that you don't trust. And the other way 'round the additional signature in the other repository won't harm, AFAICT it's sufficient to trust one of the signatures to get a package installed so the aggregating signature doesn't change anything. S. -- Susanne Oberhauser +49-911-74053-574 SUSE -- a Novell Business OPS Engineering Maxfeldstraße 5 Processes and Infrastructure Nürnberg SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2008-01-26 09:16:55 +0100, Susanne Oberhauser wrote:
Marcus Rueckert <darix@opensu.se> writes:
rpm does not support multiple sigs on one rpm.
a) I wouldn't put bets on that (I think it does, maybe buggy on and off, but you can add multiple signatures and installation will succeede if one of the key is in /bin/rpm's keyring)
rpm --addsign (from the manpage) "Both of the --addsign and --resign options generate and insert new signatures for each package PACKAGE_FILE given, replacing any existing signatures. There are two options for historical reasons, there is no difference in behavior currently."
But hinking through it, alternatively, as rpm does support multiple signatures on the same package, would it be ok if aggregaton adds a blessing to the package and it gets dual signed in both repos? So I think the following would do the trick too:
I alternatively propose that aggregation means blessing of a package, so the package will be signed with the original repo's key as well as with the aggregating repo's key.
In addition to maintaining 'hardlinkability' I think the semantics are ok: you'd never aggregate a package that you don't trust. And the other way 'round the additional signature in the other repository won't harm, AFAICT it's sufficient to trust one of the signatures to get a package installed so the aggregating signature doesn't change anything.
i am pretty sure it does not support multiple keys. darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Sat, Jan 26, 2008 at 04:58:59PM +0100, Marcus Rueckert wrote:
On 2008-01-26 09:16:55 +0100, Susanne Oberhauser wrote:
Marcus Rueckert <darix@opensu.se> writes:
rpm does not support multiple sigs on one rpm.
a) I wouldn't put bets on that (I think it does, maybe buggy on and off, but you can add multiple signatures and installation will succeede if one of the key is in /bin/rpm's keyring)
rpm --addsign (from the manpage) "Both of the --addsign and --resign options generate and insert new signatures for each package PACKAGE_FILE given, replacing any existing signatures. There are two options for historical reasons, there is no difference in behavior currently."
The manpage is incorrect. It works again since rpm-4.4. M. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2008-01-28 11:05:36 +0100, Michael Schroeder wrote:
The manpage is incorrect. It works again since rpm-4.4.
so much about RTFMing before answering! darix -- openSUSE - SUSE Linux is my linux openSUSE is good for you www.opensuse.org --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
The more I think about it I believe having aggregated packages signed with several keys has the proper semantics, while providing several keys in one repo doesn't. Adding the signature 'blesses' the package for this repo whil in the original repo, the additional signatures don't do any harm, do they? Adding a key would 'bless' the whole other project, which may not be what you want. The three alternatives I see are: 1. copy the package and sign the copy 2. sign the package with several keys 3. provide several keys from one repo I vote for #2. S. -- Susanne Oberhauser +49-911-74053-574 SUSE -- a Novell Business OPS Engineering Maxfeldstraße 5 Processes and Infrastructure Nürnberg SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Marcus Rueckert -
Michael Schroeder -
Susanne Oberhauser