Results 1 to 9 of 9

Thread: Do I want to accept this repository signature?

  1. #1

    Default Do I want to accept this repository signature?

    When kupdate applet started up, it popped up this window:

    Code:
    Do you want to accept this repository signature?
    package_id :dummy;0.0.1;i386;data
    repository_name: KDE_4_Stable
    key_url: http://download.opensuse.org/repositories/KDE:/KDE4:/STABLE:/Desktop/openSUSE_11.2/
    key_userid:KDE OBS Project <KDE@build.opensuse.org>
    key_id: 27C070176F88BB2F
    key_fingerprint: ...elided...
    key_timestamp: Fri Apr 16 06:26:59 2010
    type: gpg
    What is this? Why am I getting it? Is it safe to accept?

    (NOTE: I elided the key fingerprint)

  2. #2
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,657

    Default Re: Do I want to accept this repository signature?

    From time to time the sigs change. If you trust the repository accept.

  3. #3

    Default Re: Do I want to accept this repository signature?

    Quote Originally Posted by gogalthorp View Post
    From time to time the sigs change. If you trust the repository accept.
    Thanks gogalthorp!

  4. #4

    Default Re: Do I want to accept this repository signature?

    Quote Originally Posted by gogalthorp View Post
    From time to time the sigs change. If you trust the repository accept.
    In this specific case it's ok: Re: [opensuse-packaging] OBS key expired

    But you should ***NOT*** just accept any new key because "you trust the repository".

  5. #5
    Join Date
    Nov 2009
    Location
    West Virginia Sector 13
    Posts
    15,657

    Default Re: Do I want to accept this repository signature?

    I agree but how is anyone supposed to know this. Keys are updated all the time but there seems to be no central location to verify this. So we see all the time "new key do you accept?" but no way to verify this. So it becomes like Windows and users must accept it or forgo the update or install. Keys are a great idea but there need to be a independent way to verify them. And every user must know the way.

  6. #6

    Default Re: Do I want to accept this repository signature?

    I agree entirely - the reason it gives you a warning is in case someone has maliciously changed the repository, surely? A list of keys on the opensuse repositories page would be helpful, so at least we can make an informed decision as to why the key has changed. Or even better, they could announce when they are going to change the keys.

    That said, I blindly accepted all the keys when I first added the repositories - but again, what choice did I have?

  7. #7

    Default Re: Do I want to accept this repository signature?

    Quote Originally Posted by gogalthorp View Post
    I agree but how is anyone supposed to know this. Keys are updated all the time but there seems to be no central location to verify this. So we see all the time "new key do you accept?" but no way to verify this. So it becomes like Windows and users must accept it or forgo the update or install. Keys are a great idea but there need to be a independent way to verify them. And every user must know the way.
    Can anyone from opensuse answer this? Is there a way we can verify the validity of the keys?

  8. #8
    Join Date
    Jun 2008
    Location
    Groningen, Netherlands
    Posts
    19,671
    Blog Entries
    14

    Default Re: Do I want to accept this repository signature?

    Before this becomes an issue much larger than it should be: Has anyone experienced the appearance of loads of malicious packages?

    What I suspect is going to happen, if keys are getting published is this:
    Enless lists of long key-strings ( just browse Index of /repositories/home: ). Number of page hits after one month: zero.

    It's quite simple: each package is signed, you need the key it's signed with. If it's signed with some other key, nothing will work, until you accept that key. AFAIK there can only be one key in a repo, so changing it would make all other packages in that repo invalid.
    ° Appreciate my reply? Click the star and let me know why.

    ° Perfection is not gonna happen. No way.

    https://en.opensuse.org/openSUSE:Board#Members
    http://en.opensuse.org/User:Knurpht
    http://nl.opensuse.org/Gebruiker:Knurpht

  9. #9

    Default Re: Do I want to accept this repository signature?

    The current situation is explained here: [opensuse-buildservice] Verification of OpenPGP keys for OBS repositorie

    Quote Originally Posted by Knurpht View Post
    It's quite simple: each package is signed, you need the key it's signed with. If it's signed with some other key, nothing will work, until you accept that key. AFAIK there can only be one key in a repo, so changing it would make all other packages in that repo invalid.
    I'm not sure, but I think zypper only verifies the metada signature, not the packages ones.

    An attacker could generate a new package unsigned or signed by himself, modify the metadata to include its modified package, sign the metadata with its own key and change the key.
    You would have a single modified package and:
    - The key verifies the metadata is valid
    - The metadata verifies the packages are valid

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •