On Donnerstag, 16. April 2020, 22:01:43 CEST wrote cunix:
reply to Adrian Schröter:
On Dienstag, 14. April 2020, 16:24:20 CEST wrote Neal Gompa:
On Tue, Apr 14, 2020 at 10:20 AM cunix <cunix@gmx.net> wrote:
reply to Robert Schweikert:
On 4/11/20 5:41 AM, Simon Lees wrote:
On 4/11/20 9:20 AM, cunix wrote:
[...] We can just resign packages without rebuilding them.
we could do that, but I do not see the point acutally.
1) resigning makes security always weaker because it does not happen in the origin anymore.
Does this apply for "adding" (not "replacing") a signature as well?
No, but IIRC rpm format and/or our tooling is supporting only a single key atm (not checked). In any case it would modify the rpm, so the file would not have the same checksum anymore. That makes it harder to compare. So, I like to avoid this...
2) the package signing is not very important in practice. zypp stack is verifing signature of the repository meta data and also the %_vendor of the rpms. But the package signature itself is not verified (only indirectly via the hash sum of the entire file).
Setting "pkg_gpgcheck=1" [1] in a repo file, I would expect zypper not to install a package that is only (rpm) signed by a not trusted key.
okay, if you enable that it may check rpm signatures in addition. Not our default though.
This should work with the rpm directly [2], no?
And of course my hope is this feature won't get lost.
It should not. What we will do in current setup is basically to import both gpg keys, SLE and openSUSE by default as trusted keys. So, I see no feature to go away, but we keep the transparence and the original package.
So making the security weaker and dealing with the same files twice with different signatures is not giving any advantage from my POV.
I would argue, from an openSUSE Leap user's perspective, security is only kept at its current level, if a signature from a nowadays trusted (openSUSE) key is included and this signing authority has verified it would have created the same binary (without SUSE signature) before adding its own signature.
From my POV is that a Leap user anyway needs to trust SUSE and openSUSE atm. Because the sources are submitted directly. Using two keys and the binaries is making this just more visible to the user. Can you follow me here? bye adrian -- Adrian Schroeter email: adrian@suse.de SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org