Hi. As discussed in past[1], Factory now has gpg-offline package, which is a wrapper on top of gnupg, which allows simple build time offline verification of GPG signatures. It makes possible to verify tarballs in the build time. The use of gpg-offline in spec files is really simple: https://build.opensuse.org/package/view_file?expand=1&file=gpg-offline.PACKAGING.HOWTO&package=gpg-offline&project=Base%3ASystem The package also contains a man page. The first time step is very security-sensitive: You define your package keyring - a list of trusted keys, that can be used by the upstream to sign the source of your package. Check carefully that you are not adding a malicious keys there. Be paranoid! The gpg_verify tool is able to detect hacked source on the upstream servers (and such bad thing really already happened[2]!), but it is not able to detect maliciously uploaded false signature on the key servers. If the upstream author is in your web of trust, you are on a safe side. But if he/she is not in your web of trust, you have to use alternative ways to trust the key: - If you can mail to the author and verify the key, it is very probably an authorized signature. - If the signing key is the same as the one used a year ago, it is probably an authorized signature. - If the signing key was used in mailing list many times to sign developer mails, or at least it was announced there, it is probably an authorized signature. - If you can find the public key or footprint on more servers on different hostings, it is probably an authorized signature. I just implemented signature verification for all packages, that already contained signature and/or trusted keyring. But I did not verify, that signature submitted by packagers is the signature of the real author. Feedback, feature requests and bug reports are welcome. [1] http://lists.opensuse.org/opensuse-packaging/2012-09/msg00029.html [2] http://scarybeastsecurity.blogspot.cz/2011/07/alert-vsftpd-download-backdoor... There is still one FIXME: If anybody knows, how to use trust model "all keys in the local keyring are trusted" without "gpg: WARNING: Using untrusted key!", please advise. -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SUSE LINUX, s. r. o. e-mail: sbrabec@suse.cz Lihovarská 1060/12 tel: +49 911 7405384547 190 00 Praha 9 fax: +420 284 028 951 Czech Republic http://www.suse.cz/ -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org