Results 1 to 4 of 4

Thread: Where does zypper install the repository or package signing keys?

  1. #1

    Default Where does zypper install the repository or package signing keys?

    I've two almost identical virtual machines, snip and snap.

    While updating them today, one asked to confirm a new `repository or package signing key`, the other didn't.

    I want to make really sure I didn't do anything wrong (just in case one of them got compromised in one way or the other), especially since the system not asking for the key indicates all repositories are up to date.

    So:

    1. Where does zypper install these keys?
    2. How can I list the installed keys?
    3. How can I verify these keys are indeed valid?


    System asking to trust the key:

    Code:
    snap:/home/jeroenp # zypper repos -d#  | Alias                     | Name                               | Enabled | Refresh | Priority | Type   | URI                                                                                             | Service
    ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
     1 | Security_-_openSUSE_12.3  | Security - openSUSE 12.3           | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/                               |        
     2 | openSUSE-12.3-1.6         | openSUSE-12.3-1.6                  | Yes     | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |        
     3 | repo-debug                | openSUSE-12.3-Debug                | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/12.3/repo/oss/                                  |        
     4 | repo-debug-update         | openSUSE-12.3-Update-Debug         | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3/                                                 |        
     5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3-non-oss/                                         |        
     6 | repo-non-oss              | openSUSE-12.3-Non-Oss              | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/non-oss/                                    |        
     7 | repo-oss                  | openSUSE-12.3-Oss                  | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/oss/                                        |        
     8 | repo-source               | openSUSE-12.3-Source               | No      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/12.3/repo/oss/                                 |        
     9 | repo-update               | openSUSE-12.3-Update               | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3/                                                       |        
    10 | repo-update-non-oss       | openSUSE-12.3-Update-Non-Oss       | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3-non-oss/                                               |        
    snap:/home/jeroenp # zypper update
    Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\]
    
    
    New repository or package signing key received:
    Key ID: 69D1B2AAEE3D166A
    Key Name: security OBS Project <security@build.opensuse.org>
    Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
    Key Created: Mon May 26 11:04:43 2014
    Key Expires: Wed Aug  3 11:04:42 2016
    Repository: Security - openSUSE 12.3
    
    
    Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^Csnap:/home/jeroenp # ^C
    snap:/home/jeroenp #
    System not asking to trust the key:

    Code:
    snip:/home/jeroenp # zypper repos -d#  | Alias                     | Name                               | Enabled | Refresh | Priority | Type   | URI                                                                                             | Service
    ---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
     1 | Security_-_openSUSE_12.3  | Security - openSUSE 12.3           | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/                               |        
     2 | openSUSE-12.3-1.6         | openSUSE-12.3-1.6                  | Yes     | No      |   99     | yast2  | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |        
     3 | repo-debug                | openSUSE-12.3-Debug                | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/distribution/12.3/repo/oss/                                  |        
     4 | repo-debug-update         | openSUSE-12.3-Update-Debug         | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3/                                                 |        
     5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No      | Yes     |   99     | NONE   | http://download.opensuse.org/debug/update/12.3-non-oss/                                         |        
     6 | repo-non-oss              | openSUSE-12.3-Non-Oss              | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/non-oss/                                    |        
     7 | repo-oss                  | openSUSE-12.3-Oss                  | Yes     | Yes     |   99     | yast2  | http://download.opensuse.org/distribution/12.3/repo/oss/                                        |        
     8 | repo-source               | openSUSE-12.3-Source               | No      | Yes     |   99     | NONE   | http://download.opensuse.org/source/distribution/12.3/repo/oss/                                 |        
     9 | repo-update               | openSUSE-12.3-Update               | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3/                                                       |        
    10 | repo-update-non-oss       | openSUSE-12.3-Update-Non-Oss       | Yes     | Yes     |   99     | rpm-md | http://download.opensuse.org/update/12.3-non-oss/                                               |        
    snip:/home/jeroenp # zypper update
    Loading repository data...
    Reading installed packages...
    
    
    The following package update will NOT be installed:
      libudev0 
    
    
    Nothing to do.
    snip:/home/jeroenp # snip:/home/jeroenp # zypper refreshRepository 'Security - openSUSE 12.3' is up to date.
    Repository 'openSUSE-12.3-1.6' is up to date.
    Repository 'openSUSE-12.3-Non-Oss' is up to date.
    Repository 'openSUSE-12.3-Oss' is up to date.
    Repository 'openSUSE-12.3-Update' is up to date.
    Repository 'openSUSE-12.3-Update-Non-Oss' is up to date.
    All repositories have been refreshed.
    
    snip:/home/jeroenp #

  2. #2
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Where does zypper install the repository or package signing keys?

    On 2014-05-31 12:36, jpluimers wrote:
    > - Where does zypper install these keys?
    > - How can I list the installed keys?
    > - How can I verify these keys are indeed valid?


    Good question.

    The only zypper commands available related to keys are these two:

    Code:
    --no-gpg-checks         Ignore GPG check failures and continue.
    --gpg-auto-import-keys  Automatically trust and import new repository
    signing keys.
    And there is nothing in the configuration directory "/etc/zypp/" related
    to "key", "pgp" or "gpg".


    But I found something. Under "/var/cache/zypp/raw/REPO_ALIAS/repodata"
    there are some files related to the keys: repomd.xml.asc, repomd.xml.key
    (and they are not xml at all).

    So I guess that removing those two would force for the question to be
    asked again.

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

  3. #3

    Default Re: Where does zypper install the repository or package signing keys?

    Quote Originally Posted by robin_listas View Post
    On 2014-05-31 12:36, jpluimers wrote:
    > - Where does zypper install these keys?
    > - How can I list the installed keys?
    > - How can I verify these keys are indeed valid?


    Good question.
    Thanks.

    Quote Originally Posted by robin_listas View Post
    On 2014-05-31 12:36, jpluimers wrote:
    But I found something. Under "/var/cache/zypp/raw/REPO_ALIAS/repodata"
    there are some files related to the keys: repomd.xml.asc, repomd.xml.key
    (and they are not xml at all).
    I did some more research. The files are these:

    • repomd.xml signed repository file (this is XML)
    • repomd.xml.asc ASCII "armor" signature of repomd.xml
    • repomd.xml.key ASCII public key used to create the signature


    My directory /var/cache/zypp/raw/Security_-_openSUSE_12.3/repodata is actually a cache for the files at this URL: http://download.opensuse.org/reposit...12.3/repodata/

    So I wrote this little gist script: https://gist.github.com/jpluimers/431187328084928d15df

    It is based on this entry by Tojaj: https://github.com/Tojaj/librepo/iss...mment-20475952

    If you copy my script to ~/repomd_test.sh, then you can call it like this:

    Code:
    for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done
    It will show you the keys and fingerprints, then test if the repomd.xm file matches the signature.

    Back to my original question: what apparently happened is that when running yast to search for a package, I must have hit enter on one of the machines thereby loading that key into the zypper cache.

  4. #4
    Join Date
    Feb 2009
    Location
    Spain
    Posts
    25,547

    Default Re: Where does zypper install the repository or package signing keys?

    On 2014-05-31 18:46, jpluimers wrote:

    ....

    > It will show you the keys and fingerprints, then test if the -repomd.xm-
    > file matches the signature.


    Interesting :-)

    --
    Cheers / Saludos,

    Carlos E. R.
    (from 13.1 x86_64 "Bottle" at Telcontar)

Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •