28 Nov
2016
28 Nov
'16
05:40
Hi,
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
modification.
Are there tools, processes or people using those sigs on individual rpms?
The background is, that when trying to reproduce a build to verify that
it is bit-by-bit identical to what was published before, we can only
compare parts of it, because the signature and its timestamp will always
be different.
We could try to strip such information that is known-to-vary
but it also has some appeal to get completely identical results.
Ciao
Bernhard M.
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org
28 Nov
28 Nov
08:34
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
Hi,
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs.
You can also check against the digital signature when verifying packages.
Lastly, people can always manually download and install packages without
adding the repositories.
Cheers
Mathias
--
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184 C5F9 B013 44E7 27BD 763C
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org
08:41
On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:
Am Montag, 28. November 2016, 05:40:54 CET schrieb
Bernhard M. Wiedemann:
and osc does. It downloads rpm which may not even pubished at that point of
time and validates it (at least when not building in a safe env like kvm)
--
Adrian Schroeter
email: adrian(a)suse.de
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG
Nürnberg)
Maxfeldstraße 5
90409 Nürnberg
Germany
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org
Hi,
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
modification.
Are there tools, processes or people using those sigs on individual rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs.
You can also check against the digital signature when verifying packages.
Lastly, people can always manually download and install packages without
adding the repositories. 
09:26
Hi
Am Montag, 28. November 2016, 09:41:13 schrieb Adrian Schröter:
On Montag, 28. November 2016, 09:34:04 CET wrote
Mathias Homann:
and newer libzypp/zypper/etc. is using it in case the metadata are not signed.
--
Regards
Michael Calmer
--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575 - e-mail: Michael.Calmer(a)suse.com
--------------------------------------------------------------------------
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
HRB 21284 (AG Nürnberg)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org
Am Montag, 28. November 2016, 05:40:54 CET
schrieb Bernhard M. Wiedemann:
and osc does. It downloads rpm which may not even pubished at that point of
time and validates it (at least when not building in a safe env like kvm) Hi,
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
modification.
Are there tools, processes or people using those sigs on individual
rpms?
Yup, rpm itself does. It can be set to refuse unsigned RPMs.
You can also check against the digital signature when verifying packages.
Lastly, people can always manually download and install packages without
adding the repositories. 
09:29
On Monday 2016-11-28 09:34, Mathias Homann wrote:
Am Montag, 28. November 2016, 05:40:54 CET schrieb
Bernhard M. Wiedemann:
This is where I need to point out the unsafety of the Debian package format :-)
--
To unsubscribe, e-mail: opensuse-packaging+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-packaging+owner(a)opensuse.org
when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.
But it occurred to me, that this might not actually be needed because we
sign repository metadata
Lastly, people can always manually download and install packages without
adding the repositories.
1786
days inactive
1786
days old
4 comments
5 participants
participants (5)
-
Adrian Schröter -
Bernhard M. Wiedemann -
Jan Engelhardt -
Mathias Homann -
Michael Calmer