Mailinglist Archive: opensuse-buildservice (182 mails)

< Previous Next >
Re: [opensuse-buildservice] Verification of OpenPGP keys for OBS repositories (and packages)
  • From: Ludwig Nussel <ludwig.nussel@xxxxxxx>
  • Date: Mon, 22 Feb 2010 11:18:29 +0100
  • Message-id: <201002221118.29666.ludwig.nussel@xxxxxxx>
Stefan Tittel wrote:
However, signatures are only as good as the signing key can be trusted. At
moment after adding a buildservice repository, YaST prompts to accept the
corresponding key. How can I verify that this key is genuine?

There's no good user interface. You could retrieve it from the api though. e.g.
for my home project it would be

Just blindly accepting the presented key will make the entire use of OpenPGP
signatures worthless. If an attacker manages to compromise the server or

While the lack of ways to actually verify the key is annoying I wouldn't call
the entire use of signed repos useless. Once the initial step to import the key
is passed a MITM or hostile mirror has no way to tamper with repository data or
packages anymore.

For instance, today the key of the KDE4 community repository appears to have
changed. How can I verify that this change is genuine and not the result of

What did the error message look like? Does YaST/zypper actually detect that a
key has changed and warn that such a sudden change is potentially hostile?

2) Set up a seperate SSL-secured web server, where key fingerprints are
for verification purposes. After YaST prompts me to accept a new key, I would
then go to this website and check if the key fingerprint matches. The
advantage would be that it would be quite easy to implement and that the user
can decide which teams/persons he wants to trust. The disadvantage would be
that most users would still just blindly import the keys, because they are
lazy. :)

I'd like to see such a public interface on too :-)
The more elaborate part is probably to parse the pubkey to display it in a
human readable format. I don't know if there are any libraries for doing that.

Both approaches could also be fit for managing the genuiness of not just
repository keys (as outlined above) but also package signing keys (with the
exception that package signing keys need to be provided first, since they are
not available in the repositories themselves).

In OBS the repository key is the project key and a package is signed
with the key of the project it comes from. So for OBS one only needs
to look at project keys.

What I fail to understand: Is package signing only useful when installing
packages by hand? Because the repository metadata contains checksums for
package (and these checksums are hopefully checked during software
installation), so trusted repository metadata should be enough to prevent the
installation of malicious packages. If I am right, the possibility to verify
package signing keys would be a nice service for people installing packages
hand, but not necessary for people installing packages from repositories.



(o_ Ludwig Nussel
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-buildservice+help@xxxxxxxxxxxx

< Previous Next >