[opensuse-project] Signing repos
Hi openSUSE people, I'm not an openSUSE member (I don't do software development any more) but would like to get fixed a serious security flaw: there is no way to check the validity of a repository / build signing key. [You are welcome to correct me if I'm wrong - I'd love to know how to check this] I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not. There would have to be a clear statement of both the identity verification process and also the full extent of the assurance this signature gives. I would suggest there should also be some kind of quality threshold (e.g. bug fix statistics) as well as a method to revoke the key / signature. Or, does one of the openSUSE security experts have a better simple suggestion? What would I need to do to effect this change? Any advice or comment is very welcome, Yours David Hodgson -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 11/28/2011 10:56 AM, Ludwig Nussel wrote:
Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
cu Ludwig
Ludwig, we have just one point to fix. Once a key has been trusted and installed, when it expires there's no warnings nor other way (as I know) than delete it, and push a new one if exists. -- Bruno Friedmann Ioda-Net Sàrl www.ioda-net.ch openSUSE Member & Ambassador GPG KEY : D5C9B751C4653227 irc: tigerfoot -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
I may be using the wrong terminology, but I get repeated warnings when updating the system that "The file repomd.xml ... is digitally signed with the following unknown GnuPG key ..." and then asked if I want to use it anyway. There is no way to check if the key referred to is valid. It seems to happen a lot on the Java repository ... Yours David -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On 30/11/11 07:48, Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not. I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people. I may be using the wrong terminology, but I get repeated warnings when updating the system that "The file repomd.xml ... is digitally signed with the following unknown GnuPG key ..." and then asked if I want to use it anyway. There is no way to check if the key referred to is valid.
It seems to happen a lot on the Java repository ...
It is happening on the Java repo almost everytime I do a zypper refresh. Happened several minutes ago. It is getting beyond being annoying. Makes one wonder if the maintainer knows what s/he is doing or whether the the repo is compromised. BC -- What religion were Adam and Eve? -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On 2011-11-28 10:56, Ludwig Nussel wrote:
Administrator wrote:
I would suggest that, as a minimum, signing / build keys for main repos associated with openSUSE are signed by a main openSUSE key after (in some fashion) the requester's identity is verified. We can then (individually) decide to trust that signing process (and hence the signatures) or not.
I'm not sure I understand what you mean. The keys for the official repos are automatically in rpm's key ring of every installation. All packages in a repo as well as the repo itself are signed with the same key. The package signature is added automatically by the build system and testifies that a certain package was built in a certain project. The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
Often when we add a repo we are asked whether we trust the new PGP key of the repo, and we have no way to know if that new key is good or not before importing it. There is not a web of trust, no verification method. Even worse, a key expires sometimes and the owners are not aware. - -- Cheers / Saludos, Carlos E. R. (from 11.2 x86_64 "Emerald" GM (Minas Tirith)) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iF4EAREIAAYFAk8BEOoACgkQja8UbcUWM1xpPgD+J19FixXOIKcMfgkdMoxtv61G eKHBswPV5k4lNfxmB5cA/0csiM2qC35MaUbFXhTq0I7Dx+hTNKpWyPQeEuFad9Sy =l3NU -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
On Monday, November 28, 2011 03:56:23 AM Ludwig Nussel wrote:
The package signature is added automatically by the build system and testifies that a certain package was built in a certain project.
This is good, but still, how one can check is key originated from OBS or some malicious site. How to verify that key change, that happens from time to time, is regular replacement for expired key and not malicious activity, or sign that someone already used fake key, and now real one comes as "replacement"?
The signing key cannot be set by the packager. IOW there is no point in establishing a web of trust with keys that identify people.
While in current process there is no point of creating web of trust, the fact is that my trust in repository depends, among other things, on listed maintainers and their previous activity. -- Regards, Rajko -- To unsubscribe, e-mail: opensuse-project+unsubscribe@opensuse.org To contact the owner, email: opensuse-project+owner@opensuse.org
participants (6)
-
Administrator -
Basil Chupin -
Bruno Friedmann -
Carlos E. R. -
Ludwig Nussel -
Rajko M.