how to trust opensuse keys? new RSA 4096 bit keys, how to double check?
Support, how to trust opensuse keys? new RSA 4096 bit keys, how to double check? e.g. when test driving new dup for 15.5:
# sudo zypper -vvv --releasever=15.5 ref
.... Checking whether to refresh metadata for Update repository of openSUSE Backports Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ........................................................................................................................[done (195 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ..................................................................................................................................[done] New repository or package signing key received: Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed 10 May 2023 04:46:12 PM CEST Key Expires: Sun 09 May 2027 04:46:12 PM CEST Rpm Name: gpg-pubkey-25db7ae0-645bae34 Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise. Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If you are not sure whether the presented key is authentic, ask the repository provider or check their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they are using. Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): -------------------------- I never understood how to actually test and lookup these keys and where to make sense of them and how to react in such cases questions of zypper or questions of yast software modules when adding additional repos and many more such situations. i used to understand that one needs to check via other means other channels and look for these keys fingerprints etc published on some official projects and companies websites and all. but this is all in such a messed up and not fully established state, at least thats what i make of it. all i find is like a corporate suse (not opensuse) sigining keys page for example.
this needs to become much better i say. maybe nobody of the userbase care these days everybody just clicks and downloads and executes :( please make this a wholesome and good experience and dont miseducate the userbase into just not understanding and knowing anything about security, trust chains etc anyone care to elaborate how to actually double check on opensuse binaries and repos and their security and all. it all boils down to keys, to the root source of authority of a project et al also are old keys signing the newer keys and building chains and successions and so on? ty
Hi, We just some days ago switched the key. zypper in openSUSE-build-key to get the latest version from GA, then rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc Ciao, Marcus On Tue, May 23, 2023 at 05:51:20PM +0200, cagsm wrote:
Support,
how to trust opensuse keys? new RSA 4096 bit keys, how to double check? e.g. when test driving new dup for 15.5:
# sudo zypper -vvv --releasever=15.5 ref
....
Checking whether to refresh metadata for Update repository of openSUSE Backports Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ........................................................................................................................[done (195 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml.... .....................................................................................................................[done (63 B/s)] Retrieving: http://download.opensuse.org/update/leap/15.5/backports/repodata/repomd.xml ..................................................................................................................................[done]
New repository or package signing key received:
Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed 10 May 2023 04:46:12 PM CEST Key Expires: Sun 09 May 2027 04:46:12 PM CEST Rpm Name: gpg-pubkey-25db7ae0-645bae34
Note: Signing data enables the recipient to verify that no modifications occurred after the data were signed. Accepting data with no, wrong or unknown signature can lead to a corrupted system and in extreme cases even to a system compromise.
Note: A GPG pubkey is clearly identified by its fingerprint. Do not rely on the key's name. If you are not sure whether the presented key is authentic, ask the repository provider or check their web site. Many providers maintain a web page showing the fingerprints of the GPG keys they are using.
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): --------------------------
I never understood how to actually test and lookup these keys and where to make sense of them and how to react in such cases questions of zypper or questions of yast software modules when adding additional repos and many more such situations.
i used to understand that one needs to check via other means other channels and look for these keys fingerprints etc published on some official projects and companies websites and all. but this is all in such a messed up and not fully established state, at least thats what i make of it.
all i find is like a corporate suse (not opensuse) sigining keys page for example.
this needs to become much better i say. maybe nobody of the userbase care these days everybody just clicks and downloads and executes :(
please make this a wholesome and good experience and dont miseducate the userbase into just not understanding and knowing anything about security, trust chains etc
anyone care to elaborate how to actually double check on opensuse binaries and repos and their security and all. it all boils down to keys, to the root source of authority of a project et al
also are old keys signing the newer keys and building chains and successions and so on? ty
-- Marcus Meissner (he/him), Distinguished Engineer / Senior Project Manager Security SUSE Software Solutions Germany GmbH, Frankenstrasse 146, 90461 Nuernberg, Germany GF: Ivo Totev, Andrew Myers, Andrew McDonald, Martje Boudien Moerman, HRB 36809, AG Nuernberg
On 2023-05-23 18:05, Marcus Meissner wrote:
Hi,
We just some days ago switched the key.
zypper in openSUSE-build-key
to get the latest version from GA, then
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc
What is missing is an official openSUSE web page (not a wiki) where the fingerprints are published, where we can compare them with the downloaded keys so that we can verify that they are truly the correct keys. ALL the keys should be there, somewhere. -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 23.05.2023 21:11, Carlos E. R. wrote:
On 2023-05-23 18:05, Marcus Meissner wrote:
Hi,
We just some days ago switched the key.
zypper in openSUSE-build-key
to get the latest version from GA, then
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc
What is missing is an official openSUSE web page (not a wiki) where the fingerprints are published, where we can compare them with the downloaded keys so that we can verify that they are truly the correct keys.
ALL the keys should be there, somewhere.
While I certainly agree with it, in this case the key is included in package (openSUSE-build-key which is itself signed by another, already trusted, key. So it answers the original question "how to trust the new key". Of course, the existence of this RPM is probably even less known (I was not aware of it). I wonder what is the point of having this RPM in the first place - I would expect it to import new keys on update.
On Tue, May 23, 2023 at 10:11:01PM +0300, Andrei Borzenkov wrote:
On 23.05.2023 21:11, Carlos E. R. wrote:
On 2023-05-23 18:05, Marcus Meissner wrote:
Hi,
We just some days ago switched the key.
zypper in openSUSE-build-key
to get the latest version from GA, then
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc
What is missing is an official openSUSE web page (not a wiki) where the fingerprints are published, where we can compare them with the downloaded keys so that we can verify that they are truly the correct keys.
ALL the keys should be there, somewhere.
While I certainly agree with it, in this case the key is included in package (openSUSE-build-key which is itself signed by another, already trusted, key. So it answers the original question "how to trust the new key". Of course, the existence of this RPM is probably even less known (I was not aware of it).
I wonder what is the point of having this RPM in the first place - I would expect it to import new keys on update.
Currently the keys are imported during install. As we switched the key just now during the final phases of 15.5 development, the ones already having insalled 15.5 will need this manual work currently. Everyone else will get the key trusted already from the installer. I will see we also get it via the repomd gpg key method. Ciao, Marcus
On Wed, May 24, 2023 at 8:54 AM Marcus Meissner <meissner@suse.de> wrote:
Currently the keys are imported during install.
i was trying a dry run / test from 15.4 via dup releasever when will 15.4 get the new keys? and also could the zypper process or other means not tell the user that the new key is signed by the older keys and trusted and what not and not ask ominous questions that a user can not possibly decide? why does the zypper not tell the user exact about the key to be imported that it is safe and signey by already existing keys or it is not safe because it is a standalone key or that the user ought to check by other means or check at a certain official second channel or web page or any such thing?
As we switched the key just now during the final phases of 15.5 development, the ones already having insalled 15.5 will need this manual work currently. Everyone else will get the key trusted already from the installer.
how will the zypper dup work coming from 15.4?
On 24.05.23 09:20, cagsm wrote:
how will the zypper dup work coming from 15.4?
It appears that this problem hasn't been solved, yet. I just tried this on a fully patched 15.4: --- snip --- box154:~ # zypper clean -a box154:~ # zypper --releasever 15.5 ref [...] New repository or package signing key received: Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed May 10 16:46:12 2023 Key Expires: Sun May 9 16:46:12 2027 Rpm Name: gpg-pubkey-25db7ae0-645bae34 [...] Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): ^C --- snip --- It would be nice if the new key landed automatically on *existing* 15.4 installations. Thanks + regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024
On Thu, Jun 1, 2023 at 10:04 PM Till Dörges <doerges@pre-sense.de> wrote:
On 24.05.23 09:20, cagsm wrote:
how will the zypper dup work coming from 15.4? It appears that this problem hasn't been solved, yet. I just tried this on a fully patched 15.4: --- snip --- box154:~ # zypper clean -a box154:~ # zypper --releasever 15.5 ref [...] New repository or package signing key received:
Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed May 10 16:46:12 2023 Key Expires: Sun May 9 16:46:12 2027 Rpm Name: gpg-pubkey-25db7ae0-645bae34 [...] Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): ^C --- snip ---
It would be nice if the new key landed automatically on *existing* 15.4 installations.
exactly, how is the transition from 15.4 leap install to 15.5 in terms of these seemingly endless security and trust related questions about unknown pgp keys, signatures, checksums and all this stuff can please somebody of the project and opensuse grandmasters answer this question. really do. how does the normal user trust your system and how does one build up a history of a long running opensuse experience and not always start life over with every new opensuse release? methinks i have come across these very same situations like the past ten or so years with my endeavors into the opensuse universe. and its always the same. this project simply doesnt seem to care about to publish their pgp keys properly transparently and very openly and in an organized way as a trustworthy project, so many things are left unanswered on even these fundamental levels. why wouldnt you already have published these keys into the still current 15.4 version of your operating system project and sign the new keys for example with the old keys and establish a chain of trust and all this how is the whole community dealing with this actually? do people just not care at all or can not decide and judge these situations and click left and right everything that comes along their way and pops up infront of them? :(
On Sat, Jun 03, 2023 at 06:44:32PM +0200, cagsm wrote:
On Thu, Jun 1, 2023 at 10:04 PM Till Dörges <doerges@pre-sense.de> wrote:
On 24.05.23 09:20, cagsm wrote:
how will the zypper dup work coming from 15.4? It appears that this problem hasn't been solved, yet. I just tried this on a fully patched 15.4: --- snip --- box154:~ # zypper clean -a box154:~ # zypper --releasever 15.5 ref [...] New repository or package signing key received:
Repository: Update repository of openSUSE Backports Key Fingerprint: F044 C2C5 07A1 262B 538A AADD 8A49 EB03 25DB 7AE0 Key Name: openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org> Key Algorithm: RSA 4096 Key Created: Wed May 10 16:46:12 2023 Key Expires: Sun May 9 16:46:12 2027 Rpm Name: gpg-pubkey-25db7ae0-645bae34 [...] Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): ^C --- snip ---
It would be nice if the new key landed automatically on *existing* 15.4 installations.
exactly, how is the transition from 15.4 leap install to 15.5 in terms of these seemingly endless security and trust related questions about unknown pgp keys, signatures, checksums and all this stuff can please somebody of the project and opensuse grandmasters answer this question. really do. how does the normal user trust your system and how does one build up a history of a long running opensuse experience and not always start life over with every new opensuse release? methinks i have come across these very same situations like the past ten or so years with my endeavors into the opensuse universe. and its always the same. this project simply doesnt seem to care about to publish their pgp keys properly transparently and very openly and in an organized way as a trustworthy project, so many things are left unanswered on even these fundamental levels. why wouldnt you already have published these keys into the still current 15.4 version of your operating system project and sign the new keys for example with the old keys and establish a chain of trust and all this how is the whole community dealing with this actually? do people just not care at all or can not decide and judge these situations and click left and right everything that comes along their way and pops up infront of them?
:(
Sorry that there was no such page yet. I have now created one: https://en.opensuse.org/openSUSE:Signing_Keys Secondary, I will try to work on auto-importing the new keys in 15.4 so they are there before migration. This is however not super easy. Ciao, Marcus
On Mon, Jun 5, 2023 at 3:59 PM Marcus Meissner <meissner@suse.de> wrote:
I have now created one: https://en.opensuse.org/openSUSE:Signing_Keys
It should really contain key fingerprints as displayed by zypper. Most users would not know what to do with public keys in ASCII armor.
On Mon, Jun 05, 2023 at 04:02:26PM +0300, Andrei Borzenkov wrote:
On Mon, Jun 5, 2023 at 3:59 PM Marcus Meissner <meissner@suse.de> wrote:
I have now created one: https://en.opensuse.org/openSUSE:Signing_Keys
It should really contain key fingerprints as displayed by zypper. Most users would not know what to do with public keys in ASCII armor.
Good point, I have now also added the fingerprint output from zypper. Ciao, Marcus
On 2023-06-05 15:27, Marcus Meissner wrote:
On Mon, Jun 05, 2023 at 04:02:26PM +0300, Andrei Borzenkov wrote:
On Mon, Jun 5, 2023 at 3:59 PM Marcus Meissner <meissner@suse.de> wrote:
I have now created one: https://en.opensuse.org/openSUSE:Signing_Keys
It should really contain key fingerprints as displayed by zypper. Most users would not know what to do with public keys in ASCII armor.
Good point, I have now also added the fingerprint output from zypper.
Thank you! :-) -- Cheers / Saludos, Carlos E. R. (from 15.4 x86_64 at Telcontar)
On 05.06.23 14:59, Marcus Meissner wrote:
I have now created one:https://en.opensuse.org/openSUSE:Signing_Keys
Can this page only be changed by authorized people? (It's a wiki page IIUC.)
Secondary, I will try to work on auto-importing the new keys in 15.4 so they are there before migration.
Thank you! Regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024
On Mon, Jun 05, 2023 at 10:11:53AM -0400, Till Dörges wrote:
On 05.06.23 14:59, Marcus Meissner wrote:
I have now created one:https://en.opensuse.org/openSUSE:Signing_Keys
Can this page only be changed by authorized people? (It's a wiki page IIUC.)
Yes, the page is now locked to admins only. Ciao, Marcus
On Wed, May 24, 2023 at 9:54 AM Marcus Meissner <meissner@suse.de> wrote:
On Tue, May 23, 2023 at 10:11:01PM +0300, Andrei Borzenkov wrote:
On 23.05.2023 21:11, Carlos E. R. wrote:
On 2023-05-23 18:05, Marcus Meissner wrote:
Hi,
We just some days ago switched the key.
zypper in openSUSE-build-key
to get the latest version from GA, then
rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-25db7ae0-645bae34.asc
What is missing is an official openSUSE web page (not a wiki) where the fingerprints are published, where we can compare them with the downloaded keys so that we can verify that they are truly the correct keys.
ALL the keys should be there, somewhere.
While I certainly agree with it, in this case the key is included in package (openSUSE-build-key which is itself signed by another, already trusted, key. So it answers the original question "how to trust the new key". Of course, the existence of this RPM is probably even less known (I was not aware of it).
I wonder what is the point of having this RPM in the first place - I would expect it to import new keys on update.
Currently the keys are imported during install.
As we switched the key just now during the final phases of 15.5 development, the ones already having insalled 15.5 will need this manual work currently.
Everyone else will get the key trusted already from the installer.
I will see we also get it via the repomd gpg key method.
The key *is* available from repomd and that was the reason for the original question. Zypper displays some new key (which it fetched from repository metadata) and asks the user to verify and trust it. How can the user possibly verify it?
Interesting, Axigen mailserver suggest: -as a example "openssl genrsa -out dkim.privkey.domain1_com.pem 2048" to fit gmail now on-days. Me 256 SHA. Takes some computing power in every case. Regards
participants (7)
-
Andrei Borzenkov -
cagsm -
Carlos E. R. -
Carlos E. R. -
Johan Dot -
Marcus Meissner -
Till Dörges