[opensuse] gpg-pubkeys missing 'Distribution'
I was looking at the distro's and 'arch's for packages installed on one of my systems. The system started out as a '32bit', i586-based system, but was upgraded to x86_64 later in life. To check that I have no old-arch packages, I printed out dist's and arch's using: rpm -qa --qf '%-25{distribution} (%{arch}) : %{n}-%{V}-%{R}\n' Only one package showed had a 'binary' (not 'noarch') arch "mismatch" -- a package left over from 10.2: openSUSE 10.2 (i686) (i686) : db-4.4.20-16 No...that's not a 'double-arch' printing -- it's a pre-11.1 "bug" where some packages contained an 'arch' string embedded in the distribution name. Most the 'arch's agree (sorta) and make no diff, like: openSUSE 10.2 (X86-64) (x86_64) : nttcp-1.47-151 openSUSE 10.3 (X86-64) (x86_64) : apcupsd-3.14.1-33 openSUSE 11.0 (X86-64) (x86_64) : acpiw-0.75-574.1 (i.e. 10.2, 10.3 and 11.0 had packages with an 'almost correct', but 'bogus' 'arch' embedded in the distribution name ("X86-64" != "x86_64"). A few had mismatching, confused values, mostly fonts/cursors: openSUSE 10.2 (i586) (noarch) : agfa-fonts-2003.03.19-51 openSUSE 11.0 (i586) (noarch) : Crystalcursors-0.5-197.1 openSUSE 11.0 (i586) (noarch) : bitstream-vera-1.10-278.1 Some script-lang packages, like: openSUSE 10.3 (i586) (noarch) : yast2-devtools-2.15.9-6 openSUSE 11.0 (i586) (noarch) : bootchart-0.9-221.1 But this is a weird one (as it is inconsistent, but better than the others that it is inconsistent with): openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1 It's a build key -- but is it only for signing i586 packages? Not sure what was meant, but among "keys", it's the only one with ANY sort of indication of what "Distribution" it was 'for', or was valid for signing. The other 'gpg' keys, all have NO dist and, using the above mentioned rpm query, print out as: (none) ((none)) : gpg-pubkey-0dfb3188-41ed929b (none) ((none)) : gpg-pubkey-307e3d54-44201d5d (none) ((none)) : gpg-pubkey-307e3d54-481f30aa (none) ((none)) : gpg-pubkey-3d25d3d9-36e12d04 (none) ((none)) : gpg-pubkey-3dbdc284-49144c3f (none) ((none)) : gpg-pubkey-56b4177a-47965b33 (none) ((none)) : gpg-pubkey-7e2e3b05-44748aba (none) ((none)) : gpg-pubkey-7e2e3b05-4816488f (none) ((none)) : gpg-pubkey-9c800aca-40d8063e (none) ((none)) : gpg-pubkey-9c800aca-481f343a (none) ((none)) : gpg-pubkey-a1912208-446a0899 -------- So how do I tell what distro's the keys are good for signing? How do I tell which are for old 'distro's, that I no longer want to have enabled for "signed" installing? I.e. I might like rpm tell me that 'old-distro rpms', aren't signed with the "latest", released, Distro key(s). Why would I have so many keys installed? I think the first distribution installed on here was 10.2(i586), upgraded 'arch' (w/10.2(x86_64), 10.3, 11.0 and now, 11.1. Theoretically, one could have 1 signing key/distribution (1 key being good for all archs), so I could have as few as 4 keys if things were 'optimal', or 5 keys if they signed different binary archs separately. But why 11 keys? Maybe oss vs. non-oss packages? That would yield 8 or 10 (presuming I had non-oss packages installed from each of my 4 distros (or 5 binary distros). Whatever... The point is -- how can one tell if they keys don't say what Distribution they were shipped with? It's pointless, I believe to attempt to go back and issue patches for all the pre-11.2 signing key packages so the distro-names would be included, but would it be a good idea (and possible) to include the distributions in 11.2 (and beyond?) Linda -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 07 June 2009 23:08:02 Linda Walsh wrote:
But this is a weird one (as it is inconsistent, but better than the others that it is inconsistent with): openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1
It's a build key -- but is it only for signing i586 packages? Not sure what was meant, but among "keys", it's the only one with ANY sort of indication of what "Distribution" it was 'for', or was valid for signing.
The other 'gpg' keys, all have NO dist
"suse-build-key" is not a key, it is an rpm package, which contains a key. You're right that it's not architecture dependant
and, using the above mentioned rpm query, print out as: (none) ((none)) : gpg-pubkey-0dfb3188-41ed929b
This on the other hand is a key. It is done by doing rpm --import <gpg key>
So how do I tell what distro's the keys are good for signing? How do I tell which are for old 'distro's, that I no longer want to have enabled for "signed" installing?
There are only two suse keys in total. the suse "build" key (build@suse.de)
and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get
an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build
service repository has its own key, packman has its key and so on.
You can find out what each key is for with "rpm -qi". For example, here is the
output for the suse security key:
rpm -qi gpg-pubkey-3d25d3d9-36e12d04
Name : gpg-pubkey Relocations: (not relocatable)
Version : 3d25d3d9 Vendor: (none)
Release : 36e12d04 Build Date: Tue Dec 9 22:50:38
2008
Install Date: Tue Dec 9 22:50:38 2008 Build Host: localhost
Group : Public Keys Source RPM: (none)
Size : 0 License: pubkey
Signature : (none)
Summary : gpg(SuSE Security Team
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key (build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build service repository has its own key
So any mirror would have it's own key?
, packman has its key and so on.
packman? is that the build service? or???
You can find out what each key is for with "rpm -qi". For example, here is the output for the suse security key:
Not helpful in my case. The summaries and Dates of my keys don't
tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007,
and 4 keys dated Jun 7, 2009.
The 11 summary consist of 1 of 6 output strings:
COUNT STRING
----- ------
3 gpg(Novell Provo Build (Contact security@novell.com) \
On Sun, Jun 07, 2009 at 03:05:23PM -0700, Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key (build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build service repository has its own key
So any mirror would have it's own key?
No. Buildservice projects have their own keys. Mirrors just mirror our stuff and never have own keys.
and build@suse.de keys? If they are from mirror sites, would it be a major problem if the summary or build-host indicated the host it came from (FQDN, not localhost)"?
Having keys is excellent, but if I have duplicates and don't know one from another or where they came from, I can't really know what packages were signed against what key (all I likely would know is that they installed with a one of the above keys, but that doesnt' tell me if one of those 'build' keys was from: "susemirror.IwasHacked.org"... or where...?
Isn't it possible if a mirror site were hacked, someone could also install their own hacked 'gpg' key, with the same summary? Theoretically, that is...not that it is likely to happen...
No. Yast would ask for confirmation. There was a bug in 10.2 or 10.3 which imported keys multiple times, which would explain the multiple imports. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Monday 08 June 2009 00:05:23 Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key (build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build service repository has its own key
---- So any mirror would have it's own key?
No, the mirrors have the same files (and consequently the same keys) as the original. I mean each "original" repository.
, packman has its key and so on.
--- packman? is that the build service? or???
No, the build service is at http://download.opensuse.org/repositories. packman is separate. It is at http://packman.links2linux.org
You can find out what each key is for with "rpm -qi". For example, here is the output for the suse security key:
--- Not helpful in my case. The summaries and Dates of my keys don't tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007, and 4 keys dated Jun 7, 2009.
The 11 summary consist of 1 of 6 output strings: COUNT STRING ----- ------ 3 gpg(Novell Provo Build (Contact security@novell.com) \
)
This is the equivalent of the suse build key for Novell OES packages.
1 gpg(Open Enterprise Server
)
Embarrassingly enough, I'm not entirely sure what this key is used for.
4 gpg(SuSE Package Signing Key
) 1 gpg(SuSE Security Team )
Mentioned earlier, these are the standard suse keys
1 gpg(openSUSE Project Signing Key
)
An opensuse key. Again, not really sure what it's used for
1 gpg(openSUSE:Factory OBS Project \ openSUSE:Factory@build.opensuse.org)
This is a repository key, I mentioned these before. This happens to be for opensuse Factory (the repository of what will one day become the next opensuse version).
-----
I see 2 summaries indicating "security@",but the first (with 3 separate keys having the same summary line), is confusing, as it gives a 2ndary email addr: "novell-provo-build@". So is that a build or a security key? The domains are different as well, "@novell.com|@suse.de".
Then I have 4 separate keys for "build@suse.de" -- should I only have one?
Normally you would. My guess is that the other ones are older and expired.
Isn't it possible if a mirror site were hacked, someone could also install their own hacked 'gpg' key, with the same summary? Theoretically, that is...not that it is likely to happen...
Sure it's possible. The keys are just files in the directory structure. But when the system wants to install a key, it will never do so automatically. It always requests confirmation from you (the exception is when you're performing the original install, or a version upgrade). When you get such a question, you shouldn't just blindly click "yes - import the key and trust it" without doing something to verify that the key is indeed correct. The normal package managers will refuse to install packages with bad signatures (meaning packages not signed with keys already imported by you). This means that a rogue key can't be installed by a non-trusted package (at least not without a manual override by you) If you come across a third party package manager which ignores key violations, never use it Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Monday, 2009-06-08 at 00:32 +0200, Anders Johansson wrote: ...
1 gpg(Open Enterprise Server
) Embarrassingly enough, I'm not entirely sure what this key is used for.
:-) Time ago, I think I suggested that someone at SUSE/Novell/openSUSE creates a non-wiki page (or a non public wiki) that lists all the used GPG keys by SUSE, Novell, or openSUSE. The key, the ID, a comment on the usage of that key, and perhaps, a link to the key itself. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkosR9IACgkQtTMYHG2NR9UDUgCcCa2unREk8Vy+RS8rKJoXuvpq AY0An1kcg+datqcl+jK2DAnDR3yXy61i =TQVJ -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sunday 07 June 2009 06:05:44 pm Carlos E. R. wrote: ...
Time ago, I think I suggested that someone at SUSE/Novell/openSUSE creates a non-wiki page (or a non public wiki) that lists all the used GPG keys by SUSE, Novell, or openSUSE. The key, the ID, a comment on the usage of that key, and perhaps, a link to the key itself.
Kgpg can do that for you, just go online and check. -- Regards, Rajko http://news.opensuse.org/category/people-of-opensuse/ -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Sunday, 2009-06-07 at 18:14 -0500, Rajko M. wrote:
On Sunday 07 June 2009 06:05:44 pm Carlos E. R. wrote: ...
Time ago, I think I suggested that someone at SUSE/Novell/openSUSE creates a non-wiki page (or a non public wiki) that lists all the used GPG keys by SUSE, Novell, or openSUSE. The key, the ID, a comment on the usage of that key, and perhaps, a link to the key itself.
Kgpg can do that for you, just go online and check.
No, that's not it. Kgpg would list all those keys, and all the rest of keys, mine and from others. What I mean is an official list of all the official keys used by the project, or by Novell/SUSE related to the project. This would be a place where we could check if we have the correct list imported. - -- Cheers, Carlos E. R. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) iEYEARECAAYFAkosS2YACgkQtTMYHG2NR9Xy4gCfSiGpZzh6o7TvtBGhV+KGdZGy 7gYAn2ybEeQLdTTXY8QGQVj9YWEagROD =C54I -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Sun, Jun 07, 2009 at 02:08:02PM -0700, Linda Walsh wrote:
I was looking at the distro's and 'arch's for packages installed on one of my systems. The system started out as a '32bit', i586-based system, but was upgraded to x86_64 later in life.
To check that I have no old-arch packages, I printed out dist's and arch's using:
rpm -qa --qf '%-25{distribution} (%{arch}) : %{n}-%{V}-%{R}\n'
Only one package showed had a 'binary' (not 'noarch') arch "mismatch" -- a package left over from 10.2: openSUSE 10.2 (i686) (i686) : db-4.4.20-16
No...that's not a 'double-arch' printing -- it's a pre-11.1 "bug" where some packages contained an 'arch' string embedded in the distribution name.
Most the 'arch's agree (sorta) and make no diff, like:
openSUSE 10.2 (X86-64) (x86_64) : nttcp-1.47-151 openSUSE 10.3 (X86-64) (x86_64) : apcupsd-3.14.1-33 openSUSE 11.0 (X86-64) (x86_64) : acpiw-0.75-574.1
(i.e. 10.2, 10.3 and 11.0 had packages with an 'almost correct', but 'bogus' 'arch' embedded in the distribution name ("X86-64" != "x86_64").
A few had mismatching, confused values, mostly fonts/cursors: openSUSE 10.2 (i586) (noarch) : agfa-fonts-2003.03.19-51 openSUSE 11.0 (i586) (noarch) : Crystalcursors-0.5-197.1 openSUSE 11.0 (i586) (noarch) : bitstream-vera-1.10-278.1
Some script-lang packages, like: openSUSE 10.3 (i586) (noarch) : yast2-devtools-2.15.9-6 openSUSE 11.0 (i586) (noarch) : bootchart-0.9-221.1
But this is a weird one (as it is inconsistent, but better than the others that it is inconsistent with): openSUSE 11.0 (i586) (noarch) : suse-build-key-1.0-855.1
It's a build key -- but is it only for signing i586 packages? Not sure what was meant, but among "keys", it's the only one with ANY sort of indication of what "Distribution" it was 'for', or was valid for signing.
The other 'gpg' keys, all have NO dist and, using the above mentioned rpm query, print out as: (none) ((none)) : gpg-pubkey-0dfb3188-41ed929b (none) ((none)) : gpg-pubkey-307e3d54-44201d5d (none) ((none)) : gpg-pubkey-307e3d54-481f30aa (none) ((none)) : gpg-pubkey-3d25d3d9-36e12d04 (none) ((none)) : gpg-pubkey-3dbdc284-49144c3f (none) ((none)) : gpg-pubkey-56b4177a-47965b33 (none) ((none)) : gpg-pubkey-7e2e3b05-44748aba (none) ((none)) : gpg-pubkey-7e2e3b05-4816488f (none) ((none)) : gpg-pubkey-9c800aca-40d8063e (none) ((none)) : gpg-pubkey-9c800aca-481f343a (none) ((none)) : gpg-pubkey-a1912208-446a0899
--------
So how do I tell what distro's the keys are good for signing? How do I tell which are for old 'distro's, that I no longer want to have enabled for "signed" installing? I.e. I might like rpm tell me that 'old-distro rpms', aren't signed with the "latest", released, Distro key(s). Why would I have so many keys installed? I think the first distribution installed on here was 10.2(i586), upgraded 'arch' (w/10.2(x86_64), 10.3, 11.0 and now, 11.1.
Theoretically, one could have 1 signing key/distribution (1 key being good for all archs), so I could have as few as 4 keys if things were 'optimal', or 5 keys if they signed different binary archs separately. But why 11 keys? Maybe oss vs. non-oss packages? That would yield 8 or 10 (presuming I had non-oss packages installed from each of my 4 distros (or 5 binary distros). Whatever...
The point is -- how can one tell if they keys don't say what Distribution they were shipped with?
gpg-pubkey are virtual RPM objects (GPG keys) already imported. They lack most RPM information. Once they are imported to RPM, they stay.
It's pointless, I believe to attempt to go back and issue patches for all the pre-11.2 signing key packages so the distro-names would be included, but would it be a good idea (and possible) to include the distributions in 11.2 (and beyond?)
The ones used by openSUSE itself are contained in the (real)
openSUSE-build-key (before 11.1 it was suse-build-key) RPM.
They also live in the /usr/lib/rpm/gnupg/pubring.gpg keyring file.
/usr/lib/rpm/gnupg/pubring.gpg
------------------------------
pub 2048R/3D25D3D9 1999-03-06
uid SuSE Security Team
participants (5)
-
Anders Johansson
-
Carlos E. R.
-
Linda Walsh
-
Marcus Meissner
-
Rajko M.