Mailinglist Archive: opensuse-buildservice (280 mails)

< Previous Next >
[opensuse-buildservice] RPMs and detached signatures!
  • From: Paul Elliott <pelliott@xxxxxx>
  • Date: Wed, 31 Oct 2007 18:30:51 -0500
  • Message-id: <20071031233051.GA20887@xxxxxx>

Where is it documented how the data in a RPM is laid out? What
data is signed in a signed RPM?

The reason I ask this question is the following:

In keeping with the original UNIX "many small tools" philosophy,
imagine the following 2 utilities:

rpmdetachsig:


Takes a rpm together with the gpg keys and a passphrase from user
it goes through the exact same procedure as "rpm --addsign" goes through
but instead of creating a signed rpm, creates a DETACHED signature for
the rpm's data. The detached signature is output to a separate file.


rpmadddetachedsig: takes an rpm together with the detached signature
produced by rpmdetachsig, and creates another rpm but signed, just like
it had been signed by "rpm --addsign" in one operation.

Using these utilities, the buildservice could implement the following
procedure for developers that want to sign their rpms:

Developers download their rpm and use rpmdetachsig to create a detached
signature. They then upload the detached signature back to the build
service. The Build service adds the developer's detached signature to
the published rpm (with rpmadddetachedsig). The build service also
adds its own signature to the rpm to indicate that the rpm was indeed
built with the data on the build service.


This procedure (if possible) has the following advantages:

The developers never have to trust the build service with their
secret keys, because the signature creation is done on the developer's
own computer. This is important because many people are unwilling
to trust anyone else with their secret key--properly so.

The Build service knows that the data it publishes was built on the
build server! It accepted the detached signature from the developer
but the rpm on the build service never left the custody of the
build service!


--
Paul Elliott 1(512)837-1096
pelliott@xxxxxx PMB 181, 11900 Metric Blvd Suite J
http://www.io.com/~pelliott/pme/ Austin TX 78758-3117
< Previous Next >
List Navigation
This Thread
  • No further messages