Do I want to accept this repository signature?

6tr6tr · April 20, 2010, 5:06pm

When kupdate applet started up, it popped up this window:

Do you want to accept this repository signature?
package_id :dummy;0.0.1;i386;data
repository_name: KDE_4_Stable
key_url: http://download.opensuse.org/repositories/KDE:/KDE4:/STABLE:/Desktop/openSUSE_11.2/
key_userid:KDE OBS Project <KDE@build.opensuse.org>
key_id: 27C070176F88BB2F
key_fingerprint: ...elided...
key_timestamp: Fri Apr 16 06:26:59 2010
type: gpg

What is this? Why am I getting it? Is it safe to accept?

(NOTE: I elided the key fingerprint)

gogalthorp · April 20, 2010, 5:09pm

From time to time the sigs change. If you trust the repository accept.

6tr6tr · April 20, 2010, 6:16pm

Thanks gogalthorp!

RedDwarf · April 20, 2010, 6:35pm

In this specific case it’s ok: Re: [opensuse-packaging] OBS key expired

But you should NOT just accept any new key because “you trust the repository”.

gogalthorp · April 21, 2010, 3:32am

I agree but how is anyone supposed to know this. Keys are updated all the time but there seems to be no central location to verify this. So we see all the time “new key do you accept?” but no way to verify this. So it becomes like Windows and users must accept it or forgo the update or install. Keys are a great idea but there need to be a independent way to verify them. And every user must know the way.

nickelarse · April 21, 2010, 9:54am

I agree entirely - the reason it gives you a warning is in case someone has maliciously changed the repository, surely? A list of keys on the opensuse repositories page would be helpful, so at least we can make an informed decision as to why the key has changed. Or even better, they could announce when they are going to change the keys.

That said, I blindly accepted all the keys when I first added the repositories - but again, what choice did I have?

6tr6tr · April 29, 2010, 6:08pm

Can anyone from opensuse answer this? Is there a way we can verify the validity of the keys?

knurpht · April 30, 2010, 2:12pm

Before this becomes an issue much larger than it should be: Has anyone experienced the appearance of loads of malicious packages?

What I suspect is going to happen, if keys are getting published is this:
Enless lists of long key-strings ( just browse Index of /repositories/home: ). Number of page hits after one month: zero.

It’s quite simple: each package is signed, you need the key it’s signed with. If it’s signed with some other key, nothing will work, until you accept that key. AFAIK there can only be one key in a repo, so changing it would make all other packages in that repo invalid.

RedDwarf · April 30, 2010, 5:30pm

The current situation is explained here: [opensuse-buildservice] Verification of OpenPGP keys for OBS repositorie](http://lists.opensuse.org/opensuse-buildservice/2010-02/msg00146.html)

I’m not sure, but I think zypper only verifies the metada signature, not the packages ones.

An attacker could generate a new package unsigned or signed by himself, modify the metadata to include its modified package, sign the metadata with its own key and change the key.
You would have a single modified package and:

The key verifies the metadata is valid
The metadata verifies the packages are valid