Secure/signed installation sources woes
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Trying to add signatures to my (yast2) RPM repository for 10.1. http://en.opensuse.org/Secure_Installation_Sources A couple of unclear things in there I'd like to poke on. ========= "When YaST detects an installation source it checks if the file "products" is there, and then checks if it is signed with a known key. If it is not signed at all or with an unknown key, or if the key is on the media, but not trusted (yet), the user will be asked what to do." "The key is usually also on the installation media as /gpg-pubkey-9c800aca-40d8063e.asc" What it doesn't say clearly is where/how YaST2 will try to fetch the armored/exported key in order to propose importing it. I assume it uses whatever is defined in "content" using the "KEY" tag (see below). Correct ? ========= "The "content" file is signed in the same manner as the "products" file, so there is a "content.key" (usually, but not necessarily the same as "products.key")." Those "content.key"/"products.key" files are not mentioned anywhere else. Are those copies of the ASCII-armored, exported GPG key ? ========= "META keys are added for all files in the directory named in the key DESCRDIR" So in "content" I should have something like: ... DESCRDIR setup/descr KEY SHA1 33ad20fe228350dc4e0f0cd7967460c31266af36 gpg-pubkey-guru.asc META SHA1 4baafd9998ea4e20245f82e507c6db6b723f4597 packages META SHA1 965ba5faeea815d41ba308ffd193b78505b26c1c directory.yast META SHA1 4565f769ae573f89dddbf2eef1357b59a88ad1df packages.DU META SHA1 c53400cdb9e16ac0d9add587585fc77c86f132c5 packages.en Correct ? ========= "Before YaST uses any file from DESCRDIR it will look up the entry in "content". This entry is currently a SHA1 checksum followed by the package name. This may change to a SHA256 checksum." A "package" name ? I suppose what is meant here is "file" name. Is it ? ========= "The next step in the chain is the file "packages" in DESCRDIR. If you are familiar with its syntax you will see that we added a new tag there, too, right after the "Pgk:" tag. Here is an example of the first two lines of the entry for the default kernel: =Pkg: kernel-default 2.6.16 13 i586 =Cks: SHA1 8c8eb2b605e1d626c22bea8dd0c3b05885432b16 Again we have a SHA1 checksum." Maybe it should be mentioned that one must use create_package_descr from 10.1 or Factory (I only checked the one from autoyast2-2.13.59.tar.bz2) What about older versions ? If I use create_package_descr from 10.1/Factory, that adds those =Cks: tags into the "packages" file, can I also use it to generate "packages" for, say, 10.0/9.3/9.2/9.1 ? Or will YaST2 on 10.0 and older bark, saying that it does not know anything about the "=Cks:" tag ? cheers - -- -o) Pascal Bleser http://linux01.gwdg.de/~pbleser/ /\\ <pascal.bleser@skynet.be> <guru@unixtech.be> _\_v The more things change, the more they stay insane. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.2 (GNU/Linux) iD8DBQFEdcqur3NMWliFcXcRAipAAJ9zpDlujVLHfvUyGqzVevt23Y3fUgCfcBvf /6CbxUT9RXz8ZjXc+Kor0/Q= =nzgd -----END PGP SIGNATURE-----
On Thu, May 25, 2006 at 05:18:06PM +0200, Pascal Bleser wrote:
Trying to add signatures to my (yast2) RPM repository for 10.1.
http://en.opensuse.org/Secure_Installation_Sources
A couple of unclear things in there I'd like to poke on.
=========
"When YaST detects an installation source it checks if the file "products" is there, and then checks if it is signed with a known key. If it is not signed at all or with an unknown key, or if the key is on the media, but not trusted (yet), the user will be asked what to do."
"The key is usually also on the installation media as /gpg-pubkey-9c800aca-40d8063e.asc"
What it doesn't say clearly is where/how YaST2 will try to fetch the armored/exported key in order to propose importing it. I assume it uses whatever is defined in "content" using the "KEY" tag (see below). Correct ?
For /content it is /content.key. For repomd.xml it is /repomd.xml.key. Not sure for SUSE old-style sources. I would have to check the source ;)
=========
"The "content" file is signed in the same manner as the "products" file, so there is a "content.key" (usually, but not necessarily the same as "products.key")."
Those "content.key"/"products.key" files are not mentioned anywhere else. Are those copies of the ASCII-armored, exported GPG key ?
Yes. ASCII Armor is not necessary.
=========
"META keys are added for all files in the directory named in the key DESCRDIR"
So in "content" I should have something like: ... DESCRDIR setup/descr KEY SHA1 33ad20fe228350dc4e0f0cd7967460c31266af36 gpg-pubkey-guru.asc META SHA1 4baafd9998ea4e20245f82e507c6db6b723f4597 packages META SHA1 965ba5faeea815d41ba308ffd193b78505b26c1c directory.yast META SHA1 4565f769ae573f89dddbf2eef1357b59a88ad1df packages.DU META SHA1 c53400cdb9e16ac0d9add587585fc77c86f132c5 packages.en
Correct ?
Yes.
=========
"Before YaST uses any file from DESCRDIR it will look up the entry in "content". This entry is currently a SHA1 checksum followed by the package name. This may change to a SHA256 checksum."
A "package" name ? I suppose what is meant here is "file" name. Is it ?
A filename, yes.
=========
"The next step in the chain is the file "packages" in DESCRDIR. If you are familiar with its syntax you will see that we added a new tag there, too, right after the "Pgk:" tag. Here is an example of the first two lines of the entry for the default kernel: =Pkg: kernel-default 2.6.16 13 i586 =Cks: SHA1 8c8eb2b605e1d626c22bea8dd0c3b05885432b16 Again we have a SHA1 checksum."
Maybe it should be mentioned that one must use create_package_descr from 10.1 or Factory (I only checked the one from autoyast2-2.13.59.tar.bz2)
What about older versions ? If I use create_package_descr from 10.1/Factory, that adds those =Cks: tags into the "packages" file, can I also use it to generate "packages" for, say, 10.0/9.3/9.2/9.1 ? Or will YaST2 on 10.0 and older bark, saying that it does not know anything about the "=Cks:" tag ?
I dont know. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging-help@opensuse.org
Pascal Bleser wrote:
Trying to add signatures to my (yast2) RPM repository for 10.1.
Apropos, I have created a small script for my private repository: ftp://ftp.penguin.cz/pub/users/utx/suse/10.1/update_yast_source It needs some editing (gpg keys) before use by another person. It takes just-compiled packages, signs them and moves them to the repository. I have borrowed some code from makeSUSEdvd. It seems to work and creates signed sources accepted by YaST. -- Best Regards / S pozdravem, Stanislav Brabec software developer --------------------------------------------------------------------- SuSE CR, s. r. o. e-mail: sbrabec@suse.cz Drahobejlova 27 tel: +420 296 542 382 190 00 Praha 9 fax: +420 296 542 374 Czech Republic http://www.suse.cz/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-packaging-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-packaging-help@opensuse.org
participants (3)
-
Marcus Meissner
-
Pascal Bleser
-
Stanislav Brabec