[opensuse-buildservice] verifiable public keys for repositories

newer
[opensuse-buildservice] HELP: How...

older
Re: [opensuse-buildservice] Only...

Benedikt Wildenhain

23 May 2014 23 May '14

16:31

Hello, I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/. They are only self-signed (besides an signature by 6B9D6523, openSUSE Build Service , which expired in 2008) using http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/..., so it is not possible to check its validity using OpenPGP's web of trust. Would it be possible to provide verifiable repositories keys, either by signing them or by providing them via https? Kind regards, Benedikt Wildenhain -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Show replies by thread

Michael Schroeder

23 May 23 May

16:46

On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:

...

I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.

They are only self-signed

A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository?

...

(besides an signature by 6B9D6523, openSUSE Build Service , which expired in 2008)

We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from?

...

using http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/..., so it is not possible to check its validity using OpenPGP's web of trust. Would it be possible to provide verifiable repositories keys, either by signing them or by providing them via https?

The pubkey are signed by the openSUSE Build Service key, right? It would indeed be nice if download.opensuse.org also provided https. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Benedikt Wildenhain

24 May 24 May

19:05

Hello Michael, On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:

...

On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:

...
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.

They are only self-signed

A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository? Yes, exactly.

...

...
(besides an signature by 6B9D6523, openSUSE Build Service , which expired in 2008)

We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from? I used hkp://keys.gnupg.net (the same key is also available via http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )

$ LANG=C gpg --recv-keys 6B9D6523 gpg: requesting key 6B9D6523 from hkp server keys.gnupg.net gpg: key 6B9D6523: "openSUSE Build Service " not changed gpg: Total number processed: 1 gpg: unchanged: 1 $ LANG=C gpg --list-sigs 6B9D6523 pub 1024D/6B9D6523 2006-05-24 [expired: 2008-05-23] uid openSUSE Build Service sig 3 6B9D6523 2006-05-24 openSUSE Build Service

...

The pubkey are signed by the openSUSE Build Service key, right? Yes, but at least those I downloaded using the command above wasn't signed by anyone, so I cannot find a signature path to someone, with whom I exchanged keys with before.

Regards, Benedikt Wildenhain

Henne Vogelsang

26 May 26 May

08:54

On 24.05.2014 21:05, Benedikt Wildenhain wrote:

...

Yes, but at least those I downloaded using the command above wasn't signed by anyone, so I cannot find a signature path to someone, with whom I exchanged keys with before.

That is a "problem" for the repository owner to solve. By publishing their keyblock/fingerprint on their home page or signing the key. Owncloud has been told by us a couple of times, you should talk to them :-) Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Michael Schroeder

09:00

On Sat, May 24, 2014 at 09:05:44PM +0200, Benedikt Wildenhain wrote:

...

On Fri, May 23, 2014 at 06:46:21PM +0200, Michael Schroeder wrote:

...
On Fri, May 23, 2014 at 06:31:01PM +0200, Benedikt Wildenhain wrote:

...
I am using the Debian-packages build for ownCloud, which are available at http://download.opensuse.org/repositories/isv:ownCloud:community/Debian_7.0/.

They are only self-signed

A signature can't be self-signed, so are you talking about the "Release.key" pubkey file that is also in the repository? Yes, exactly.

...
...
(besides an signature by 6B9D6523, openSUSE Build Service , which expired in 2008)

We don't put an expiry date in the openSUSE Build Service signature, so are you talking about the openSUSE Build Service pubkey? If yes, where did you get it from? I used hkp://keys.gnupg.net (the same key is also available via http://keys.gnupg.net/pks/lookup?op=get&search=0x3B3011B76B9D6523 )

Ok, I'll talk to our security guys about uploading (and maybe signing) a newer version of the build service pubkey. Thanks, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Michael Schroeder

11:38

On Mon, May 26, 2014 at 11:00:24AM +0200, Michael Schroeder wrote:

...

Ok, I'll talk to our security guys about uploading (and maybe signing) a newer version of the build service pubkey.

An extended and signed version has been uploaded to keys.gnupg.net by Marcus Meissner. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

Benedikt Wildenhain

12:42

...

An extended and signed version has been uploaded to keys.gnupg.net by Marcus Meissner.

Hello, On Mon, May 26, 2014 at 01:38:11PM +0200, Michael Schroeder wrote: thanks, it looks good now. His key can be easily verified. Regards, Benedikt Wildenhain -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org

3621

Age (days ago)

3624

Last active (days ago)

List overview

Download

6 comments

3 participants

participants (3)

Benedikt Wildenhain
Henne Vogelsang
Michael Schroeder