Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key
(build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which
time they get an update. The current one will expire in May 2010,
if I read correctly
The other keys you have could be various other repository keys.
Each build service repository has its own key
So any mirror would have it's own key?
, packman has its key and so on.
packman? is that the build service? or???
You can find out what each key is for with "rpm -qi". For example,
here is the output for the suse security key:
Not helpful in my case. The summaries and Dates of my keys don't
tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007,
and 4 keys dated Jun 7, 2009.
The 11 summary consist of 1 of 6 output strings:
COUNT STRING
----- ------
3 gpg(Novell Provo Build (Contact security@novell.com) \
)
1 gpg(Open Enterprise Server )
4 gpg(SuSE Package Signing Key )
1 gpg(SuSE Security Team )
1 gpg(openSUSE Project Signing Key )
1 gpg(openSUSE:Factory OBS Project \
openSUSE:Factory@build.opensuse.org)
-----
I see 2 summaries indicating "security@",but the first (with 3 separate keys
having the same summary line), is confusing, as it gives a 2ndary
email addr: "novell-provo-build@". So is that a build or a security
key? The domains are different as well, "@novell.com|@suse.de".
Then I have 4 separate keys for "build@suse.de" -- should I only have one?
Then one for support, opensuse (perhaps pre-factory work?), but then
another "build" key: "openSUSE:Factory@build.opensuse.org".
So where would I have installed the other keys from? (besides
build@suse.de & security@suse.de)?
And why do I have multiple copies of the @novell.com
and build@suse.de keys? If they are from mirror sites, would it be
a major problem if the summary or build-host indicated the host it
came from (FQDN, not localhost)"?
Having keys is excellent, but if I have duplicates and don't know
one from another or where they came from, I can't really know what
packages were signed against what key (all I likely would know is that
they installed with a one of the above keys, but that doesnt' tell me
if one of those 'build' keys was from: "susemirror.IwasHacked.org"...
or where...?
Isn't it possible if a mirror site were hacked, someone could also
install their own hacked 'gpg' key, with the same summary?
Theoretically, that is...not that it is likely to happen...
--
To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse+help@opensuse.org