reply to Adrian Schröter:
On Dienstag, 14. April 2020, 16:24:20 CEST wrote Neal Gompa:
On Tue, Apr 14, 2020 at 10:20 AM cunix <cunix@gmx.net> wrote:
reply to Robert Schweikert:
On 4/11/20 5:41 AM, Simon Lees wrote:
On 4/11/20 9:20 AM, cunix wrote:
[...] We can just resign packages without rebuilding them.
we could do that, but I do not see the point acutally.
1) resigning makes security always weaker because it does not happen in the origin anymore.
Does this apply for "adding" (not "replacing") a signature as well?
2) the package signing is not very important in practice. zypp stack is verifing signature of the repository meta data and also the %_vendor of the rpms. But the package signature itself is not verified (only indirectly via the hash sum of the entire file).
Setting "pkg_gpgcheck=1" [1] in a repo file, I would expect zypper not to install a package that is only (rpm) signed by a not trusted key. This should work with the rpm directly [2], no? And of course my hope is this feature won't get lost.
So making the security weaker and dealing with the same files twice with different signatures is not giving any advantage from my POV.
I would argue, from an openSUSE Leap user's perspective, security is only kept at its current level, if a signature from a nowadays trusted (openSUSE) key is included and this signing authority has verified it would have created the same binary (without SUSE signature) before adding its own signature. cunix [1] https://github.com/openSUSE/libzypp/blob/cf056100f41d8023cc027c2ac7f256306a6... [2] https://github.com/openSUSE/libzypp/blob/67f55b474d67f77c1868955da8542a7acfa... -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org