[opensuse-factory] gpg signature check in bootstrap packages
On Monday 2013-06-17 15:25, coolo@suse.com/Hermes wrote:
https://build.opensuse.org/request/show/179324 Description: - avoid gpg-offline in bootstrap packages
How important is the presence and/or absence of the signature check? There are more bootstrap packages that have a BuildRequires: gpg-offline. My recommendation would be, as I have already done with one bootstrapish package, to remove BuildRequires: gpg-offline and instead slurp gpg-offline into the buildchroot by way of a prjconf Support: and/or through ~/.oscrc extra-pkgs. (The downside with .oscrc is that it bugs you whenever there is no gpg-offline, like when building locally for other distros.) Sounds like an idea? -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On 17.06.2013 16:12, Jan Engelhardt wrote:
On Monday 2013-06-17 15:25, coolo@suse.com/Hermes wrote:
https://build.opensuse.org/request/show/179324 Description: - avoid gpg-offline in bootstrap packages
How important is the presence and/or absence of the signature check? There are more bootstrap packages that have a BuildRequires: gpg-offline.
My recommendation would be, as I have already done with one bootstrapish package, to remove BuildRequires: gpg-offline and instead slurp gpg-offline into the buildchroot by way of a prjconf Support: and/or through ~/.oscrc extra-pkgs. (The downside with .oscrc is that it bugs you whenever there is no gpg-offline, like when building locally for other distros.)
Sounds like an idea?
I consider verifying the gpg signature in the spec file wasted time - at least if it's as expensive as it is, so the right way IMO is to integrate it into the source_validator. Mark the signature file in the spec file somehow and let the source validator fail Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tuesday 2013-06-18 09:39, Stephan Kulow wrote:
I consider verifying the gpg signature in the spec file wasted time - at least if it's as expensive as it is, so the right way IMO is to integrate it into the source_validator.
There goes the benefit of validation... If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Tue, Jun 18, 2013 at 09:59:29AM +0200, Jan Engelhardt wrote:
On Tuesday 2013-06-18 09:39, Stephan Kulow wrote:
I consider verifying the gpg signature in the spec file wasted time - at least if it's as expensive as it is, so the right way IMO is to integrate it into the source_validator.
There goes the benefit of validation...
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator - It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them. (We can leave gpg-offline in packages outside of the buildcycle though.) Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 2013-06-19 09:07, Marcus Meissner wrote:
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator
- It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them.
Please do support transparent decompression, for the case of linux-3.9.6.tar.sig linux-3.9.6.tar.xz Here, the archive needs to be decompressed before gpg is willing to verify the signature. The same would be helpful to put down SHA checksums of the .tar in the _service file, rather than for the .tar.xz. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 19.06.2013 14:42, schrieb Jan Engelhardt:
On Wednesday 2013-06-19 09:07, Marcus Meissner wrote:
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator
- It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them.
Please do support transparent decompression, for the case of
linux-3.9.6.tar.sig linux-3.9.6.tar.xz
You don't want to uncompress that tarball whenever you do osc ci or osc build (times when the source validator runs). So perhaps an extra service only run by default in factory-auto is the thing to do (just like we do for download_files). Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wed, Jun 19, 2013 at 02:42:28PM +0200, Jan Engelhardt wrote:
On Wednesday 2013-06-19 09:07, Marcus Meissner wrote:
If it is not checked at build time, how is one supposed to know that the data committed to the srcserver is actually untampered.. A question for all the verification promoters ;-)
After talking with coolo I now implemented a check also in the obs-service-source_validator
- It looks for *.keyring files and imports them. - If found, it looks for *.sig and *.asc files and verifies them.
Please do support transparent decompression, for the case of
linux-3.9.6.tar.sig linux-3.9.6.tar.xz
Here, the archive needs to be decompressed before gpg is willing to verify the signature.
Unless I am allowed to rewrite this in perl instead of bash... Probably not. Also we should not do recompression of tarballs. :/ Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Wednesday 2013-06-19 16:10, Marcus Meissner wrote:
linux-3.9.6.tar.sig linux-3.9.6.tar.xz
Here, the archive needs to be decompressed before gpg is willing to verify the signature.
Unless I am allowed to rewrite this in perl instead of bash... Probably not.
Also we should not do recompression of tarballs. :/
I have yet to see a reasonable argument. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (3)
-
Jan Engelhardt
-
Marcus Meissner
-
Stephan Kulow