Hi,
Had this error after trying top update the system :
**Import Untrusted GnuPG Key
**ID: **B2F796E76867F5BE
**Name: **Martin Schlander (cb400f)
**Fingerprint: **BB43 B333 6DDF 49C5 C5A6 3613 B2F7 96E7 6867 F5BE
**Created: **09/03/11
**Expires: **Never
**Is this a trusted GnuPG Key or is there a problem with the repository ??? - with all the issues of hacking, would not want to trust this repo if it is distributing “bad” binaries.
Thanks and Regards,
Shadders.
Please post in Code-Tags:
zypper lr -d
On 2015-08-01 11:16, shadders wrote:
> *Is this a trusted GnuPG Key or is there a problem with the repository
> ??? - with all the issues of hacking, would not want to trust this repo
> if it is distributing “bad” binaries.
Absolutely all GPG keys are untrusted, until you personally vouch that
you trust each one.
It is you, who personally know the person that owns the key, signing and
testifying to the world that he is really the person that creates that key.
Or you testify to some other person that happens in turn to testify to
another key, and this person to another, till it reaches they key you
are interested in.
That’s how the PGP chain of trust works. As documented 
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
I usually see that when I add the “libdvdcss” repo. I accept it.
It would be nice if there were some way for us to add these keys in advance, instead of having to make an at-the-moment decision. I think there’s an openFATE request for such an enhancement. But, for the present, just accept the key. If you add Packman repos, there will also be a key for those that you will need to approve.
HI All,
Thanks for the replies.
I understand that GPG relies upon accepting trust of other peoples keys - and that is what i am asking - why now do i have to accept this key to download from a repo ?
Assume that the system has been hacked - and the key is from a false repo.
How do we as users of OpenSuse know that the key is valid ?
Is there a list of valid keys for repo’s published ?
I would rather check this, than blindly accept it - which is just what hackers rely upon.
Hence - i am questioning security - and how i can ensure that the key is valid ?. Thanks.
Regards,
Shadders.
Hi,
As requested :
zypper lr -d
–±---------------------±-----------------------------±--------±----------±--------±---------±-------±-----------------------------------------------------------------±-------
1 | Packman | Packman | No | ---- | Yes | 99 | rpm-md | http://packman.inode.at/suse/openSUSE_13.2/ |
2 | Packman Repository | Packman Repository | Yes | (r ) Yes | Yes | 99 | rpm-md | http://ftp.gwdg.de/pub/linux/packman/suse/openSUSE_13.2/ |
3 | Science | Science | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/science/openSUSE_13.2/ |
4 | libdvdcss repository | libdvdcss repository | Yes | ( p) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/13.2/ |
5 | repo-non-oss | openSUSE-13.2-Non-Oss | Yes | ( p) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/13.2/repo/non-oss/ |
6 | repo-oss | openSUSE-13.2-Oss | Yes | ( p) Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/13.2/repo/oss/ |
7 | repo-update | openSUSE-13.2-Update | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/13.2/ |
8 | repo-update-non-oss | openSUSE-13.2-Update-Non-Oss | Yes | (r ) Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/13.2-non-oss/ |
Thanks and regards,
Shadders
Good question.
I don’t think there’s an easy answer.
You can use:
cd /var/cache/zypp/raw
find . -name '*.key'
to find all of the relevant key files.
I guess you could then import those into a keyring and do some of your own checking.
I think you would still need to first tell zypper/yast to accept the key. You could then mark the repo as disabled until you are satisfied with the keys.
wow that is unreadable, use the
tag it's the **#** button
You seam to have packman twice, I think you added it first with zypper and then again with yast, you used a different url for it too, as they're different mirrors and sometimes it takes time to sync all mirrors you might have issues, remove one, the rest of your repo's seam fine.On 2015-08-02 21:06, shadders wrote:
>
> HI All,
>
> Thanks for the replies.
>
> I understand that GPG relies upon accepting trust of other peoples keys
> - and that is what i am asking - why now do i have to accept this key to
> download from a repo ?
GPG works that way. You have to sign the keys yourself. Or somebody that
you trust, and whose key you signed, previously signed them.
Nothing has changed.
> Assume that the system has been hacked - and the key is from a false
> repo.
>
> How do we as users of OpenSuse know that the key is valid ?
You can not.
> Is there a list of valid keys for repo’s published ?
No.
> Hence - i am questioning security - and how i can ensure that the key is
> valid ?. Thanks.
You can not.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))
Hi All,
Apologies for not using the code font.
What seems to be occurring is that Yast requests i accept the GnuPG key for :
4 | libdvdcss repository | libdvdcss repository | Yes | ( p) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/13.2/
This has worked before - so someone has changed the GnuPG.
Accessing the link i obtain forbidden access error 403.
So - in the interest of security - should we as a community be publishing the keys for the repositories ?
Unless this is done, we could be accepting bad repositories and hence trojan’s or other installed on people PC.
Regards,
Shadders.
Keys do change as they time out.
On 2015-08-03 16:46, shadders wrote:
>
> Hi All,
>
> Apologies for not using the code font.
You still do not understand. It is not a FONT change. It is a CODE TAGS
BLOCK, accessed by pressing the #] button in the editor.
The purpose is not to change the size of letters, but to tell the forum
software not to change the text inside, so that we see it intact, unaltered.
> What seems to be occurring is that Yast requests i accept the GnuPG key
> for :
>
> 4 | libdvdcss repository | libdvdcss repository | Yes | ( p) Yes | Yes | 99 | rpm-md | http://opensuse-guide.org/repo/13.2/
> This has worked before - so someone has changed the GnuPG.
Well, yes, it happens now and then, yes.
> Accessing the link i obtain forbidden access error 403.
Me too.
But notice that some repositories forbid browsing, yet they work with
yast, because yast doesn’t “browse”.
> So - in the interest of security - should we as a community be
> publishing the keys for the repositories ?
No. Not “we”, but “them”. The people that create and maintain any repo
should publish somewhere their keys. And the openSUSE project should
have a link or page for that, yes.
However, the above page does not belong to the openSUSE project.
For instance, packman does:
http://packman.links2linux.org/help
However, how do you know that the page was not hijacked? You’d say: use
https instead. Yes, you may… but in this case, the certificate is
private (thus untrusted), and the link is dead, anyway.
> Unless this is done, we could be accepting bad repositories and hence
> trojan’s or other installed on people PC.
True.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))
I’ve been prompted for a Martin Schandler key, every time that I add the “libdvdcss” repo. And since I do a clean install, rather than an upgrade, this happens for every new release of opensuse.
A new install wipes any certs that are set so you do get a prompt from most repos to accept their cert. I think the normal openSUSE repos are pre certified
But this is a general problem with certs from anywhere. The only way to be absolutely certain is to use only open source and install/use only self audited source files. That maybe a bit tedious for most 
Ah, no. That’s far too risky.
The only way to absolute certainty is to write all of the code yourself (including the operating system and even the BIOS).
I think I’ll try to make do with less than absolute certainty.
On 2015-08-03 18:26, gogalthorp wrote:
>
> A new install wipes any certs that are set so you do get a prompt from
> most repos to accept their cert. I think the normal openSUSE repos are
> pre certified
Yes, because the keys themselves are packaged in an rpm package, so they
get installed. A few keys. And if those keys are used to sign other
keys, they also get validated by the chain of trust.
But the opensuse-guide.org key, being external, would not be signed with
those keys.
> But this is a general problem with certs from anywhere. The only way to
> be absolutely certain is to use only open source and install/use only
> self audited source files. That maybe a bit tedious for most
Mmm… I think that key validity and code trustedness are different,
unrelated things
Key validity only certifies that the person that signs something is
really that person, and no other. Not that the software he creates is
good and safe, it could be a trojan
It is a problem with the PGP model. There is no certification authority.
If we used one such, and those centralized certificates, we would not
have such problems. We’d have others, like perhaps paying.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” at Telcontar)
Hi All,
Apologies for the code bit again - i copied from the code in a response thinking the format would also copy.
Thanks for all the replies and help on this - much appreciated. I will have to accept the key - or not allow updates. So, will research a bit more about libdvdcss.
Thanks and regards,
Shadders.
On 2015-08-04 11:56, shadders wrote:
>
> Hi All,
>
> Apologies for the code bit again - i copied from the code in a response
> thinking the format would also copy.
>
> Thanks for all the replies and help on this - much appreciated. I will
> have to accept the key - or not allow updates. So, will research a bit
> more about libdvdcss.
That repository contains a single package, that is needed only if you
want to view a commercial movie DVD in your computer, because it is
protected. That package breaks the protection.
It also is, or may be, or it is argued to be, illegal in some countries.
If you google about it, you may find tons of ways that particular piece
of code could be distributed, like in song lyrics, to play around
prohibitions.
If you doubt that repository, you can download the code from a ton of
sites and compile it yourself.
Or just download it from that repo, which sole purpose is to distribute
it outside of opensuse or packman servers.
–
Cheers / Saludos,
Carlos E. R.
(from 13.1 x86_64 “Bottle” (Minas Tirith))
Hi Robin,
Thanks - i sent the admin for the site a message asking for the key to be published to ensure we can confirm the security. Thanks.
Regards,
Shadders.