On Fri, Mar 14, 2014 at 02:35:40PM -0400, Jason wrote:
On Friday, March 14, 2014 07:19:09 Marcus Meissner wrote:
On Fri, Mar 14, 2014 at 02:00:34AM +0200, Uwe Geuder wrote:
Hi!
Today packages signed with key ID b3fd7e48 have appeared in openSUSE repo-update. I get warnings that this is an unknown key. Can somebody advice how to verify that it is a legitimate key?
More details at https://forums.opensuse.org/showthread.php/496213-zypper-up-found-no-key-b ut-still-installed-packages Thanks for the report...
This key is the build key for the openSUSE:Maintenance staging area.
It should not have been used for the released update itself (the RPMs are resigned before release).
Ciao, Marcus
Good, I thought I was going crazy over here:)
But, this raises another point:
How is it possible for apper to install packages without key/wrong key? The packages are served over plain http, above shouldn't be acceptable?
Or am I misunderstanding something here, I'd appreciate clarification if possible.
The verification of repositories is done via the YUM metadata. It chains like this: repodata/repomd.xml (signature in repomd.xml.asc) this contains sha256 signatures of the XML files in repodata/: repodata/*.xml these contain sha256 signatures of all RPMs and other files. The RPM signature is usually not involved in this framework. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-security+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-security+owner@opensuse.org