On Monday 08 June 2009 00:05:23 Linda Walsh wrote:
Anders Johansson wrote:
There are only two suse keys in total. the suse "build" key (build@suse.de) and the security key (security@suse.de)
They are used for all distributions, until they expire, at which time they get an update. The current one will expire in May 2010, if I read correctly
The other keys you have could be various other repository keys. Each build service repository has its own key
---- So any mirror would have it's own key?
No, the mirrors have the same files (and consequently the same keys) as the original. I mean each "original" repository.
, packman has its key and so on.
--- packman? is that the build service? or???
No, the build service is at http://download.opensuse.org/repositories. packman is separate. It is at http://packman.links2linux.org
You can find out what each key is for with "rpm -qi". For example, here is the output for the suse security key:
--- Not helpful in my case. The summaries and Dates of my keys don't tell me where they came from. I have 5 keys dated ~3am Jan 20, 2007, and 4 keys dated Jun 7, 2009.
The 11 summary consist of 1 of 6 output strings: COUNT STRING ----- ------ 3 gpg(Novell Provo Build (Contact security@novell.com) \
)
This is the equivalent of the suse build key for Novell OES packages.
1 gpg(Open Enterprise Server
)
Embarrassingly enough, I'm not entirely sure what this key is used for.
4 gpg(SuSE Package Signing Key
) 1 gpg(SuSE Security Team )
Mentioned earlier, these are the standard suse keys
1 gpg(openSUSE Project Signing Key
)
An opensuse key. Again, not really sure what it's used for
1 gpg(openSUSE:Factory OBS Project \ openSUSE:Factory@build.opensuse.org)
This is a repository key, I mentioned these before. This happens to be for opensuse Factory (the repository of what will one day become the next opensuse version).
-----
I see 2 summaries indicating "security@",but the first (with 3 separate keys having the same summary line), is confusing, as it gives a 2ndary email addr: "novell-provo-build@". So is that a build or a security key? The domains are different as well, "@novell.com|@suse.de".
Then I have 4 separate keys for "build@suse.de" -- should I only have one?
Normally you would. My guess is that the other ones are older and expired.
Isn't it possible if a mirror site were hacked, someone could also install their own hacked 'gpg' key, with the same summary? Theoretically, that is...not that it is likely to happen...
Sure it's possible. The keys are just files in the directory structure. But when the system wants to install a key, it will never do so automatically. It always requests confirmation from you (the exception is when you're performing the original install, or a version upgrade). When you get such a question, you shouldn't just blindly click "yes - import the key and trust it" without doing something to verify that the key is indeed correct. The normal package managers will refuse to install packages with bad signatures (meaning packages not signed with keys already imported by you). This means that a rogue key can't be installed by a non-trusted package (at least not without a manual override by you) If you come across a third party package manager which ignores key violations, never use it Anders -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org