Page 1 of 5 123 ... LastLast
Results 1 to 10 of 41

Thread: new repository key - how to verify?

  1. #1

    Default new repository key - how to verify?

    why is there no (easy) way to verify a new repository key?

    currently, the java repository at Index of /repositories/Java:/packages/openSUSE_11.4 has a new key 'F7B4039CC2C0E8D4', and zypper asks me, if i want to continue.

    but how on earth can i verify, if this new key is valid?

    why can't i find a page on opensuse.org, where all currently valid keys are listed?

    just saying 'yes' without verifying makes keys completely useless, and you can get rid of this annoying key verification...

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: new repository key - how to verify?

    On 2011-10-27 09:46, hemathor wrote:
    > why is there no (easy) way to verify a new repository key?


    That's a very good question, for which there is no proper answer,
    unfortunately.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  3. #3

    Default Re: new repository key - how to verify?

    Well, someone asked me lately how to check the validity of my key. I told him to compare the ouptut of these 2 commands:

    Code:
    wget -O  - http://download.opensuse.org/repositories/home:/please_try_again/openSUSE_11.4/repodata/repomd.xml.key 2>/dev/null
    and

    Code:
    for k in $(rpm -qa gpg-pubkey*) ; do
            rpm -qi  $k | grep -q "please_try_again" && rpm -qi $k | sed -n '/BEGIN/,/END/p'
    done
    However the second command implies that the key has been already imported.

    Re: [opensuse-buildservice] Verification of OpenPGP keys for OBS reposit

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: new repository key - how to verify?

    On 2011-10-27 11:36, please try again wrote:
    >
    > Well, someone asked me lately how to check the validity of my key. I
    > told him to compare the ouptut of these 2 commands:


    How about key servers, and having keys signed by peers?

    A set of keys could be packaged as an rpm in the DVD, too. And be signed.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  5. #5

    Default Re: new repository key - how to verify?

    Quote Originally Posted by robin_listas View Post
    On 2011-10-27 11:36, please try again wrote:
    >
    > Well, someone asked me lately how to check the validity of my key. I
    > told him to compare the ouptut of these 2 commands:


    How about key servers, and having keys signed by peers?
    Absolutely... But you know that the days here have only 48 hours (because of our 2 suns) and we only work 35 hours ... but uninterrupted.
    This key was created by OBS. I didn't really worry about it.

  6. #6
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: new repository key - how to verify?

    On 2011-10-27 13:06, please try again wrote:
    >
    > robin_listas;2397825 Wrote:


    >> How about key servers, and having keys signed by peers?
    >>

    >
    > Absolutely... But you know that the days here have only 48 hours
    > (because of our 2 suns) and we only work 35 hours ... but uninterrupted.
    >
    > This key was created by OBS. I didn't really worry about it.


    I read somewhere that the kernel devs that want access need to have their
    key signed by someone that vouches for them. They have taken this measure
    after their site was broken into - but it is something that the entire
    Linux developing structure should do.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  7. #7
    Join Date
    Aug 2010
    Location
    Linden, NJ, USA
    Posts
    39

    Question Re: new repository key - how to verify?

    Maybe a related useful question is why/under what conditions does a key change? Should there be some notice somewhere if a key has legitimately changed? Otherwise, as the original poster suggested, people are just going to click OK all the time anyway and the purpose of the signing is defeated... or they're never going to accept a changed key, and the packaging effort becomes useless if no one trusts it.

  8. #8
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: new repository key - how to verify?

    On 2011-10-27 21:06, duncreg wrote:
    >
    > Maybe a related useful question is why/under what conditions does a key
    > change?


    Keys expire, unless you define them not to.

    > Should there be some notice somewhere if a key has legitimately
    > changed? Otherwise, as the original poster suggested, people are just
    > going to click OK all the time anyway and the purpose of the signing is
    > defeated... or they're never going to accept a changed key, and the
    > packaging effort becomes useless if no one trusts it.


    Absolutely.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

  9. #9
    Join Date
    Jun 2008
    Location
    Podunk
    Posts
    26,525
    Blog Entries
    15

    Default Re: new repository key - how to verify?

    Quote Originally Posted by Carlos E. R.
    On 2011-10-27 21:06, duncreg wrote:
    >
    > Maybe a related useful question is why/under what conditions does a
    > key change?


    Keys expire, unless you define them not to.

    > Should there be some notice somewhere if a key has legitimately
    > changed? Otherwise, as the original poster suggested, people are just
    > going to click OK all the time anyway and the purpose of the signing
    > is defeated... or they're never going to accept a changed key, and the
    > packaging effort becomes useless if no one trusts it.


    Absolutely.
    Hi
    On the Open Build Service the keys can be extended, but sometimes
    people forget

    They need to run;
    Code:
    osc signkey --extend <PROJECT>
    --
    Cheers Malcolm °¿° (Linux Counter #276890)
    openSUSE 11.4 (x86_64) Kernel 2.6.37.6-0.7-desktop
    up 3 days 5:37, 5 users, load average: 0.27, 0.13, 0.13
    GPU GeForce 8600 GTS Silent - Driver Version: 285.05.09


  10. #10
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: new repository key - how to verify?

    On 2011-10-27 21:48, malcolmlewis wrote:

    > Hi
    > On the Open Build Service the keys can be extended, but sometimes
    > people forget


    The thing is, with the current status, the keys are as good as nothing. The
    users have no way to know if the keys are valid when adding a repo, or when
    eventually they change. If there is an attack one day, as we are used to
    accept the keys with an [enter], we will be damaged. We have no way to
    differentiate a normal key change from a genuine attack.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 11.4 x86_64 "Celadon" at Telcontar)

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •