Remark (unsure about current situation): In the past when adding
semi-official or official repos from e.g. inside Yast that were
already listed there or via that community-repositories functionality,
there often was an unsafe/unknown GPG key warning, and if user wanted
to import and trust the key.
Enhancement: if possible build a chain or web of trust for all those
directly owned or endorsed keys of all those projects or buildservice
and official and semi-official so that the user messing with repos can
at least tell that the repos GPG key is somewhat related to the
higherlevel official opensuse key or keys and see a relation if there
is one. Importing completely strange keys that dont show any relations
to other OpenSuSe project keys doesnt really help the user to decide
if somethings legit or not or fake or to be taken cautiously and so
on. Thank you.
On Wed, Nov 20, 2013 at 3:00 PM, Darin Perusich
There are puppet modules available to import gpg keys and manage the zypper repositories.
To manage gpg key's there are a number of modules, try "puppet module search gpg" for a listing. I don't see how this "issue" would be an different on SuSE then RHEL if you're getting packages from some external YUM repo.
To manage your zypper repo's use the darin-zypprepo type/module, yep I wrote it. It has an option to gpgcheck to validate signatures. If you use it in combination w/one of the gpg modules you'll take are of installing and validating key/pkgs.
https is not turned on for the OBS repos, and really how does that increase security since you're only downloading packages? validating the keys will ensure the packages haven't been tampered with. If you're under some requirement to use https then mirror the repo's you need locally, gpg check them before making them available, and run your own https server.
-- Later, Darin
On Tue, Nov 19, 2013 at 8:59 AM, Vlastimil Holer
wrote: Hello,
since I'm new to SUSE, I have a very dumb querstion regarding custom repositories from http://download.opensuse.org/ .
Our infrastructure is based on Debians and Red Hats and completely managed and automated by Puppet. We got few machines running SLES 11 SP3 and I need to get some software from download.opensuse.org there (like OpenAFS etc.) and need to **automate** process of adding these custom repos and installing software in easy an secure manner. It's impossible to think about it in a way, that user comes and blindly accepts few keys for new repositories. Or that we completely ignore or autoimport untrusted signing keys.
I have reached following problems: 1) each repo uses custom signing key 2) keys + repositories are over http 3) don't know how to check if downloaded signing key is valid
ad 1) I can make a Puppet module which can have all current signing keys downloaded from download.opensuse.org. This module can manage adding GPG keys (via rpm --import) and than creating repository on client side. I can reagularly refresh signing keys in this module. But 2) or 3).
ad 2) Is it possible to download all things at least via https? ad 3) Is it possible to automatically check the signing key is valid (at least for non-user repositories) ?
Thank you for any tip. I think the public build service and these repositories are great source of (additional) software, but thinking about how to automate these things in SUSE makes me sad so far.
Thank you, Vlastimil Holer -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org