new repository key - how to verify?

Thanks Jim. An openFATE request required?

On 10/27/2011 03:33 AM, Carlos E. R. wrote:
> On 2011-10-27 11:36, please try again wrote:
>>
>> Well, someone asked me lately how to check the validity of my key. I
>> told him to compare the ouptut of these 2 commands:
>
> How about key servers, and having keys signed by peers?
>
> A set of keys could be packaged as an rpm in the DVD, too. And be signed.
>

The key server that got hacked recently?

I really don’t know how something like this can be verified by a user.
For all i know, everytime i get a key i just have to trust that it is ok.


Euer Komputerfriek Joerg
using LXDE on 11.4 x64 and happy with a cup of real hot coffee…
Need help? Call 207.252.3.96 (really)

On 2011-10-28 01:11, Jim Henderson wrote:
> Kinda like having an SSL certificate that validates against a private CA.

Not quite! What we have is equivalent to having self signed SSL
certificates. The chain of trust in PGP is not implemented in OBS management.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On 2011-10-28 01:26, deano ferrari wrote:
>
> Thanks Jim. An openFATE request required?

The issue has been raised other times, to no effect.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Thu, 27 Oct 2011 23:28:08 +0000, Carlos E. R. wrote:

> On 2011-10-28 01:11, Jim Henderson wrote:
>> Kinda like having an SSL certificate that validates against a private
>> CA.
>
> Not quite! What we have is equivalent to having self signed SSL
> certificates. The chain of trust in PGP is not implemented in OBS
> management.

That’s why I said “kinda like”. :slight_smile:

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

On Thu, 27 Oct 2011 23:26:02 +0000, deano ferrari wrote:

> Thanks Jim. An openFATE request required?

Probably not a bad idea.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

Back to the repo mentioned in the first post. I removed older java keys, imported this one:

# rpm --import [noparse] http://download.opensuse.org/repositories/Java:/packages/openSUSE_11.4/repodata/repomd.xml.key[/noparse]](http://download.opensuse.org/repositories/Java:/packages/openSUSE_11.4/repodata/repomd.xml.key) 

It was added successfully

# for k in $(rpm -qa | grep gpg-pubkeys* ) ; do  echo -n $k ; rpm -qi $k | awk -F ":" '/Summary/ { $1="" ; print $0 }' ; done

...

**gpg-pubkey-c2c0e8d4-4e841cb4**  gpg(Java packages OBS Project <Java [email]packages@build.opensuse.org[/email]>)

...


and looks like this:

# rpm -qi **gpg-pubkey-c2c0e8d4-4e841cb4 **
Name        : gpg-pubkey                   Relocations: (not relocatable)
Version     : c2c0e8d4                          Vendor: (none)
Release     : 4e841cb4                      Build Date: **Fri 28 Oct 2011 01:23:15 AM PDT**
Install Date: Fri 28 Oct 2011 01:23:15 AM PDT      Build Host: localhost
Group       : Public Keys                   Source RPM: (none)
Size        : 0                                License: pubkey
Signature   : (none)
Summary     : gpg(Java:packages OBS Project <Java:packages@build.opensuse.org>)
Description :
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: rpm-4.8.0 (NSS-3)

mQGiBE6EHSERBAChZhro0JLsSqLy6fl/xyuxXDJ8C/8V5kYoGsIBEtR5b/thiygzTr5UUSlM
1cktLq19C15V79lRJXRPxgr0CAmFeC3K/WxVDTntbv3r8LkxXsA2k+NDFIiWZpycq4BuixFh
LVj+NAx90Nu6BhZRb+ZKKCkxa06CBxK8tnRmIK89NwCg+ONs3olok2l2iV6ivMVq0BwYESMD
/2A3LPrVcPD1ApaLrXmUJtVsAzPt9guww2A7pQBmVS2JpkyuIO4NouKPNmBGgktWVipLIRpo
m6bXdiNcO+kNJ64t/4AGskXX/+13ug+X5I9/uEyg4LrmmlmB0YiEQPMF7ArOb+D2ljFN0PR3
V+XR4KWIwfEvmbpfBpJ5sUoPBMz7A/9Ff89/mSlWOonUp4MEuHBj3uE+/aaQ1xFbBdFaGzub
VyY3v9tQ+hm2f2nkeNtwx712QJdgeaiZS4Hke2gubibbhXYez9LiSKpM7CUpnJ8UOD6C7K4h
oH1meHFx3JafAVYBXj6NY6aWadNWE/tXOxSjfvYOZEvt3mM4VWWk2VzYHbQ8SmF2YTpwYWNr
YWdlcyBPQlMgUHJvamVjdCA8SmF2YTpwYWNrYWdlc0BidWlsZC5vcGVuc3VzZS5vcmc+iGYE
ExECACYFAk6EHLQCGwMFCQQer5MGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRD3tAOcwsDo
1FI7AKCQE2+TSl0JoBNMn9EExWPhlMUtYgCg5c6SlFsFt2OiF2ewlLjdV9RQis+IRgQTEQIA
BgUCToQdIQAKCRA7MBG3a51lI102AJ9qKJcdVOg3X8DA5JONSjNJfZ54xACcD3XZWUPzO8d+
ovEuZQvihGcFOgk=
=uM8o

-----END PGP PUBLIC KEY BLOCK-----

Distribution: (none)

But zypper refresh still complains about this key:

Retrieving repository 'openSUSE:Java' metadata \]
File 'repomd.xml' from repository 'openSUSE:Java' is signed with an unknown key 'F7B4039CC2C0E8D4'. Continue? [yes/no] (no):

BTW, I just posted a script to list, display, export and remove gpg public keys: list, export and remove RPM GPG keys.

But I’m still confused: As far as those java packages are concerned, is the advice from the gurus that, since they’re on the openSuSE server, they’re safe so just accept the key and update, or is it that accepting unknown keys is an obvious security risk and only the foolish do it? Or is it that there isn’t (and can’t be) any standard procedure in such instances?

Gregg

On 2011-11-02 11:26, greggmoore wrote:
>
> But I’m still confused: As far as those java packages are concerned, is
> the advice from the gurus that, since they’re on the openSuSE server,
> they’re safe so just accept the key and update, or is it that accepting
> unknown keys is an obvious security risk and only the foolish do it? Or
> is it that there isn’t (and can’t be) any standard procedure in such
> instances?

There is no good answer to that.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

On Wed, 02 Nov 2011 10:26:02 +0000, greggmoore wrote:

> But I’m still confused: As far as those java packages are concerned, is
> the advice from the gurus that, since they’re on the openSuSE server,
> they’re safe so just accept the key and update, or is it that accepting
> unknown keys is an obvious security risk and only the foolish do it? Or
> is it that there isn’t (and can’t be) any standard procedure in such
> instances?

There isn’t really a standard procedure for this, but if I were concerned
about it, I might be inclined to download the key myself from the server
and compare it against the key the software management is getting. I’d
also verify the server’s identity using DNS lookups and comparing that to
registrar information for the domain.

Jim


Jim Henderson
openSUSE Forums Administrator
Forum Use Terms & Conditions at http://tinyurl.com/openSUSE-T-C

[QUOTE=hendersj;2399798]On Wed, 02 Nov 2011 10:26:02 +0000, greggmoore wrote:

> But I’m still confused: As far as those java packages are concerned, is
> the advice from the gurus that, since they’re on the openSuSE server,
> they’re safe so just accept the key and update, or is it that accepting
> unknown keys is an obvious security risk and only the foolish do it? Or
> is it that there isn’t (and can’t be) any standard procedure in such
> instances?

There isn’t really a standard procedure for this, but if I were concerned
about it, I might be inclined to download the key myself from the server

Did that.

and compare it against the key the software management is getting.

Don’t know how to do that (and a bit of web searching left me no better informed).

I’d also verify the server’s identity using DNS lookups

Did that.

and comparing that to registrar information for the domain.

And that, and of course it looks OK. But then I’m doing general updates (zypper update) and various other repositories have the same domain name and don’t cause problems. This would be a bit less concerning if it were some minor application package throwing up a bad key, but the integrity of the java environment is a little bit important to the integrity of browsers and so general web access security.

Is there nowhere that the package builders post (or could post) notices to confirm that key changes are known about and done with authority?

Gregg

On 2011-11-03 14:06, greggmoore wrote:

>> Is there nowhere that the package builders post (or could post) notices
>> to confirm that key changes are known about and done with authority?

No.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

which leads to the obvious question: why not?

from my perspective, there is no good reason other than laziness…

On 2011-11-06 08:26, hemathor wrote:

>> No.
>>
>>
>
> which leads to the obvious question: why not?

Good question.

> from my perspective, there is no good reason other than laziness…

Pfff…


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

This is quite a long thread for the simple question: how to verify repository keys (especially OBS repositories)
This shows that this topic is on many people’s minds.
Can someone please summarize answers to the following questions:

  1. Is OpenSUSE/Novell anyhow concerned about this topic (many people are suggesting with their comments that it is not)
  2. OBS projects are to some level essential to OpenSUSE (i.e. mozilla, R, etc.). OpenSUSE cannot guarantee the code quality of OBS projects. But why can’t OpenSUSE simply sign all OBS repository keys with a special key that can be downloaded with zypper from the standard repositories?
  3. The community could also solve this problem by means of the web of trust. I guess most OBS owners of large projects know some people personally that are close to the OpenSUSE development team. So private GPG keys could be used to sign the main OBS project keys and allow a key verification via GPG key signing chains. But how can it be that the mozilla OBS project is signed by Nobody (http://pgp.mit.edu:11371/pks/lookup?op=vindex&search=0x026B47F3766DA614).
  4. Are there any other means of verifying GPG keys? Downloading a fingerprint via unencrypted http is better than nothing but it is stone age security. People are suggesting DNS and whois lookups but this is far inferior to reasonable use of asymmetric encryption technologies (GPG/https).

On 2012-05-10 12:26, windiana wrote:
>
> This is quite a long thread for the simple question: how to verify
> repository keys (especially OBS repositories)
> This shows that this topic is on many people’s minds.
> Can someone please summarize answers to the following questions:
>
> 1) Is OpenSUSE/Novell anyhow concerned about this topic (many people
> are suggesting with their comments that it is not)

IMO, no. Not enough, at least.

> 3) The community could also solve this problem by means of the web of
> trust.

Dream on…

> But how can it be that the
> mozilla OBS project is signed by Nobody (http://tinyurl.com/cp2mmkv).

Ha!

That’s a summary. Short. >:-)


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Concerning the problem that has been discussed here, I keep getting verification error messages from the Java repository. This problem persists since the time it was initially reported in this thread. When I go into “install software” in yast the error message is shown and I am asked to express my trust in the given key. I usually approve it, but some time later I’m getting the same error again. (Maybe the key has changed again?)

I just hit the same problem again, hence my post. Worse still, after I did this, the updater (apper) reports about 40 updates pending, so I assume that the background updater was stuck with this problem (about the repo key) and did not tell me, so I’m getting into a backlog of patches.

So what can be done about this? Am I the only one with this issue?

Michael

You’re not the only one with the problem. The key for this repository keeps changing over and over and over and this does indeed block apper. The only thing I could think to do was to disable the repository to prevent it from blocking update notifications. I have no idea who is in charge of this repository - it seems no one is based on what’s going on.

On 2012-05-28 00:26, mizapf wrote:
>
> Concerning the problem that has been discussed here, I keep getting
> verification error messages from the Java repository. This problem
> persists since the time it was initially reported in this thread.

A report here is not a report ™.

> So what can be done about this? Am I the only one with this issue?

Well, I don’t use that repo.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

I came here with the same question as the OP and still I am none the wiser.

For posterity’s sake though, I will mention that on running software update on 12.2, it is asking me if I trust the key “B88B2FD43DBDC284”. A Google search reveals that that key has been in use since at least 2010 by OpenSUSE. It could of course just mean that it has been compromised for a long time, but if so I have lived with that for the last three years to no ill effect that I could see, so I’ll just have to trust it. Still, be better if we had a proper trust system. :\