[zypp-devel] GPG signed rpm-md repositories with subkeys?
Greetings: I was confused earlier today when trying to add a GPG-signed rpm-md type repository to my system. I noticed that zypper was listing the repository as not being signed. zypper refresh was telling me that the repository was signed with an unknown key and zypper lr was listing the repository as not supporting repo_gpgcheck. After some digging around the libzypper source (14.43.0) on my system (openSUSE 13.2) I believe I've tracked down the issue. The call to publicKeyExists in KeyRing::Impl::verifyFileSignatureWorkflow checks if the repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was signed with a subkey of a GPG key (instead of a primary key), this check will fail even though the call to VerifyFile would succeed. Is this a known issue? Not sure what the best solution is for zypper, but one potential solution would be to simply ask GPG to verify the signature using the general keyring without first checking if a matching key id is in the keyring. The logic in verifyFileSignatureWorkflow can then be simplified as GPG would figure out if there's a matching key and this issue would be avoided. Thanks, Joe -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
On Friday 28 October 2016 01:16:26 Joe Damato wrote:
Greetings:
I was confused earlier today when trying to add a GPG-signed rpm-md type repository to my system. I noticed that zypper was listing the repository as not being signed. zypper refresh was telling me that the repository was signed with an unknown key and zypper lr was listing the repository as not supporting repo_gpgcheck.
After some digging around the libzypper source (14.43.0) on my system (openSUSE 13.2) I believe I've tracked down the issue.
The call to publicKeyExists in KeyRing::Impl::verifyFileSignatureWorkflow checks if the repomd.xml.asc signature's key ID is known. If the repomd.xml.asc was signed with a subkey of a GPG key (instead of a primary key), this check will fail even though the call to VerifyFile would succeed.
Is this a known issue?
No. Thanks for hunting and reporting it. I opened a bug at https://bugzilla.suse.com/show_bug.cgi?id=1008325 Please be so kind to attach your repomd.xml, .asc and .key file to the bug, so we can verify a fix. -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX GmbH, Development, ma@suse.com Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 74 053-0 +------------------------------------------------------------------+ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
participants (2)
-
Joe Damato -
Michael Andres