Mailinglist Archive: opensuse-packaging (74 mails)

< Previous Next >
Re: [opensuse-packaging] Secure/signed installation sources woes
  • From: Marcus Meissner <meissner@xxxxxxx>
  • Date: Tue, 13 Jun 2006 10:33:24 +0200
  • Message-id: <20060613083324.GA13545@xxxxxxx>
On Thu, May 25, 2006 at 05:18:06PM +0200, Pascal Bleser wrote:
> Trying to add signatures to my (yast2) RPM repository for 10.1.
>
> http://en.opensuse.org/Secure_Installation_Sources
>
> A couple of unclear things in there I'd like to poke on.
>
> =========
>
> "When YaST detects an installation source it checks if the file
> "products" is there, and then checks if it is signed with a known key.
> If it is not signed at all or with an unknown key, or if the key is on
> the media, but not trusted (yet), the user will be asked what to do."
>
> "The key is usually also on the installation media as
> /gpg-pubkey-9c800aca-40d8063e.asc"
>
> What it doesn't say clearly is where/how YaST2 will try to fetch the
> armored/exported key in order to propose importing it.
> I assume it uses whatever is defined in "content" using the "KEY" tag
> (see below). Correct ?


For /content it is /content.key.
For repomd.xml it is /repomd.xml.key.

Not sure for SUSE old-style sources.

I would have to check the source ;)

> =========
>
> "The "content" file is signed in the same manner as the "products" file,
> so there is a "content.key" (usually, but not necessarily the same as
> "products.key")."
>
> Those "content.key"/"products.key" files are not mentioned anywhere else.
> Are those copies of the ASCII-armored, exported GPG key ?

Yes. ASCII Armor is not necessary.

> =========
>
> "META keys are added for all files in the directory named in the key
> DESCRDIR"
>
> So in "content" I should have something like:
> ...
> DESCRDIR setup/descr
> KEY SHA1 33ad20fe228350dc4e0f0cd7967460c31266af36 gpg-pubkey-guru.asc
> META SHA1 4baafd9998ea4e20245f82e507c6db6b723f4597 packages
> META SHA1 965ba5faeea815d41ba308ffd193b78505b26c1c directory.yast
> META SHA1 4565f769ae573f89dddbf2eef1357b59a88ad1df packages.DU
> META SHA1 c53400cdb9e16ac0d9add587585fc77c86f132c5 packages.en
>
> Correct ?

Yes.

> =========
>
> "Before YaST uses any file from DESCRDIR it will look up the entry in
> "content". This entry is currently a SHA1 checksum followed by the
> package name. This may change to a SHA256 checksum."
>
> A "package" name ? I suppose what is meant here is "file" name. Is it ?

A filename, yes.

> =========
>
> "The next step in the chain is the file "packages" in DESCRDIR.
> If you are familiar with its syntax you will see that we added a new tag
> there, too, right after the "Pgk:" tag. Here is an example of the first
> two lines of the entry for the default kernel:
> =Pkg: kernel-default 2.6.16 13 i586
> =Cks: SHA1 8c8eb2b605e1d626c22bea8dd0c3b05885432b16
> Again we have a SHA1 checksum."
>
> Maybe it should be mentioned that one must use create_package_descr from
> 10.1 or Factory (I only checked the one from autoyast2-2.13.59.tar.bz2)
>
> What about older versions ?
> If I use create_package_descr from 10.1/Factory, that adds those =Cks:
> tags into the "packages" file, can I also use it to generate "packages"
> for, say, 10.0/9.3/9.2/9.1 ?
> Or will YaST2 on 10.0 and older bark, saying that it does not know
> anything about the "=Cks:" tag ?

I dont know.

Ciao, Marcus

---------------------------------------------------------------------
To unsubscribe, e-mail: opensuse-packaging-unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-packaging-help@xxxxxxxxxxxx

< Previous Next >