[opensuse-buildservice] verifiable public keys for repositories
Hello,
I am using the Debian-packages build for ownCloud, which are available
at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed (besides an signature by 6B9D6523, openSUSE
Build Service
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed
A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository?
(besides an signature by 6B9D6523, openSUSE Build Service
, which expired in 2008)
We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from?
using http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/..., so it is not possible to check its validity using OpenPGP's web of trust. Would it be possible to provide verifiable repositories keys, either by signing them or by providing them via https?
The pubkey are signed by the openSUSE Build Service key, right? It would indeed be nice if download.opensuse.org also provided https. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hello Michael, On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed
A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository? Yes, exactly.
(besides an signature by 6B9D6523, openSUSE Build Service
, which expired in 2008) We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from? I used hkp://keys.gnupg.net (the same key is also available via http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )
$ LANG=C gpg --recv-keys 6B9D6523
gpg: requesting key 6B9D6523 from hkp server keys.gnupg.net
gpg: key 6B9D6523: "openSUSE Build Service
The pubkey are signed by the openSUSE Build Service key, right? Yes, but at least those I downloaded using the command above wasn't signed by anyone, so I cannot find a signature path to someone, with whom I exchanged keys with before.
Regards, Benedikt Wildenhain
On 24.05.2014 21:05, Benedikt Wildenhain wrote:
Yes, but at least those I downloaded using the command above wasn't signed by anyone, so I cannot find a signature path to someone, with whom I exchanged keys with before.
That is a "problem" for the repository owner to solve. By publishing their keyblock/fingerprint on their home page or signing the key. Owncloud has been told by us a couple of times, you should talk to them :-) Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Sat, May 24, 2014 at 09:05:44PM +0200, Benedikt Wildenhain wrote:
On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.
They are only self-signed
A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository? Yes, exactly.
(besides an signature by 6B9D6523, openSUSE Build Service
, which expired in 2008) We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from? I used hkp://keys.gnupg.net (the same key is also available via http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )
Ok, I'll talk to our security guys about uploading (and maybe signing) a newer version of the build service pubkey. Thanks, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Mon, May 26, 2014 at 11:00:24AM +0200, Michael Schroeder wrote:
Ok, I'll talk to our security guys about uploading (and maybe signing) a newer version of the build service pubkey.
An extended and signed version has been uploaded to keys.gnupg.net by Marcus Meissner. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
An extended and signed version has been uploaded to keys.gnupg.net by Marcus Meissner.
Hello, On Mon, May 26, 2014 at 01:38:11PM +0200, Michael Schroeder wrote: thanks, it looks good now. His key can be easily verified. Regards, Benedikt Wildenhain -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (3)
-
Benedikt Wildenhain
-
Henne Vogelsang
-
Michael Schroeder