[opensuse-security] Verifying authenticity of Community Repositories
Hi! Today I wanted to add some community repositories as installation sources, more specifically stuff from the OpenSuse Build Service. Yast complained about an untrusted key, since the public key of the build service is not included in the distribution (not to be confused with the build key, which is included). Of course I could just press the "OK" button, or download the key from [1], import it and never be bothered again. But that key has no signatures and is transmitted via http, so I still do not know if I have the right key. Is there any way of securely retrieving the authentic public key of the build service without traveling to Nuremberg? How is the average user supposed to do that? Happy Holidays nordi [1] http://download.opensuse.org/openSUSE-Build-Service.asc --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
nordi escribió:
there any way of securely retrieving the authentic public key of the build service without traveling to Nuremberg?
No :) , In any case, you have to trust other stuff anyway. -- "The only thing that interferes with my learning is my education." - Albert Einstein Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
On Thu, Dec 27, 2007 at 01:05:58AM +0100, nordi wrote:
Hi!
Today I wanted to add some community repositories as installation sources, more specifically stuff from the OpenSuse Build Service. Yast complained about an untrusted key, since the public key of the build service is not included in the distribution (not to be confused with the build key, which is included).
Of course I could just press the "OK" button, or download the key from [1], import it and never be bothered again. But that key has no signatures and is transmitted via http, so I still do not know if I have the right key. Is there any way of securely retrieving the authentic public key of the build service without traveling to Nuremberg? How is the average user supposed to do that?
Actually we should perhaps just sign it with a known key. Also, we will switch to per-project GPG keys in the future. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
Marcus Meissner wrote:
Actually we should perhaps just sign it with a known key. That would be a good idea. Digital signing is not of much use if I cannot verify the signature. If you do this, then please also sign the keys of other repositories (packman, nvidia, ati...) so that these can be used securely as well.
Also, we will switch to per-project GPG keys in the future. Will this create some extra security? I see the digital signature as proof that the package was really produced by the build service and was not manipulated by a man in the middle.
Although per project keys could mean that fewer people have access to a specific key. That would lessen the impact if the PC of a developer gets compromised. Or does the build service system sign the packages automatically? Regards nordi --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
nordi wrote:
Also, we will switch to per-project GPG keys in the future. Will this create some extra security? I see the digital signature as
Marcus Meissner wrote: proof that the package was really produced by the build service and was not manipulated by a man in the middle.
But the fact that the package was produced by the BS doesn't tell you much. There's no pre-checking review by the buildservice team, the buildservice builds whatever the packagers upload, so you don't need a man in the middle to add 'rm -rf /' to a package scriptlet in your home project ;). Per-project keys will allow you to select projects (to which only a group of packagers has access) you want trust, instead of "trust everything that comes from the build service". Michal --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-security+help@opensuse.org
participants (4)
-
Cristian Rodríguez
-
Marcus Meissner
-
Michal Marek
-
nordi