New Signing Key for openSUSE 11.3 Contrib - to trust, or not to trust?

I’m updating with zypper, and I get this:

New repository or package signing key received:
Key ID: A2C57066847C976A
Key Name: openSUSE:11.3 OBS Project <openSUSE:11.3@build.opensuse.org>
Key Fingerprint: C9448533126576AB4CA613ACA2C57066847C976A
Key Created: Wed 20 Oct 2010 12:55:23 AM EST
Key Expires: Fri 28 Dec 2012 12:55:23 AM EST
Repository: openSUSE:11.3:Contrib (standard)

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):
Naturally, I’m cautious. How to verify that this change is not malicious?

This happens sometimes, when they change the key for a repo. Either you accept it, or you cannot use the repo.
You could check the key in the repo to see if it’s the same.
I’m not enough into this matter to provide any further decent info.

You know, the educational repository of OpenSUSE has a key that expired in May and is not valid anymore. How to tell that the key is true? You cannot and I do not think that there is real interest in security for what is the infrastructure. If not, there would be an easily clickable link on at least two different domains with the codes listed one by one on a dedicated page and ideally all the fingerprints of the codes included in them (yes also the semiofficial repository signatures) would be from time to time printed in a linux magazin (but that would have a cost and nobody want to pay anything -following the misunderstanding that “free software” is “for free” which is not hte case). So just hope for the best or you do like me:
I deactivated the educational repository of 11.1 and from time to time I look if at least there is a new signature…without being also here capable to say with certainty anything about the real validity of it.
The problem of the inclusion of the keys into the system was posed also in OpenFate but as far as I know it has been rejected.

A question to the OpenSUSE team: why don’t you use the countersignature of a know CA? A German IT magazine (heise de) does a nice thing like that and signs as CA the gnuPG keys on expositions (cryptographic campaign). This would be useful in any case.

On 2010-10-21 12:06, felipe1982 wrote:

> Naturally, I’m cautious. How to verify that this change is not
> malicious?

A very good question with no good answer. There is no way to verify keys for any repo, except
checking if the keys have been signed with the buildservice master key or some other trusted key.

There is no openSUSE gpg key policy, AFAIK, and no one to report. I did once and I was beaten. :-/


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Index of /repositories/Education/openSUSE_11.3/repodata

repomd.xml.key outdated april 2010. Exactly at Index of /repositories/Education/openSUSE_11.1/repodata
Therefore the problem persists for 11.1 where the key is outdated since 8 month! Q.e.d.

This is indeed a stumbling block for new users.
Message from update service ‘there is a new update. want to download?’ Ok download and update system.
‘Error, can not update system. Address does not match. Please check the address’. Gee what do i do know?:\ Ask the forum.

Well, it makes sense that keys expire at one point, but it would be nice if the system would remind one that there is an update key available. One could update the key and continue to update the system.
Also, for some reason, ftp addresses changed and you have to find out the address to be able to update the software. Happend to me once.

This could be improved so that anyone can handle it with ease and is sure that there is no hidden door perhaps.

On 2010-10-21 14:06, stakanov wrote:
>
> You know, the educational repository of OpenSUSE has a key that expired
> in May and is not valid anymore.

I remember. All repos had expired keys at the same time. I reported the issue on a bugzilla that was
closed as invalid or wontfix. I got a very bad taste out of that issue. There is no interest on
security.

> A question to the OpenSUSE team:

They will not read it.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Ignore the prompts, but notice which repo is yelling… Like Contribs

Simply use YAST.

Delete the repo in question from the list and reinstall it.

This will “securely” handle it.

It is easier to just click O.K. to every prompt and import the new signature. You shall not be suspicious. Key are only ornamental with no real use. Example:

New repository or package signing key received:
Key ID: B2C5706E847C976C
Key Name: openSUSE:11.3 OBS Project <openSUSE:11.3@build.opensuse.nigeria.org>
Key Fingerprint: P9448533126576AB4CA613ACA2C57066847C976A
Key Created: Wed 20 Oct 2010 12:55:23 AM EST
Key Expires: Fri 28 Dec 2012 12:55:23 AM EST
Repository: openSUSE:11.3:Contrib (standard)

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r):

Well, in this case just press: Always and the error goes away rotfl! And after pressing temporarily the error goes away permanently too, after the first install of updates. :stuck_out_tongue:

PS. Purportedly there are plans to change the “Have a lot of fun” statement in “Don’t worry be happy”. lol!

On 2010-10-22 03:06, wshawn wrote:
>
> Ignore the prompts, but notice which repo is yelling… Like Contribs
>
> Simply use YAST.
>
> Delete the repo in question from the list and reinstall it.
>
> This will “securely” handle it.

Define “securely”.

If you are getting the data from a rogue mirror, before it is known that it is rogue, you will get a
rogue key. Next step, you get rogue (hacked) packages.

This has happened to other distros… No malicious packages got distributed, but it happened.


Cheers / Saludos,

Carlos E. R.
(from 11.2 x86_64 “Emerald” at Telcontar)

Although this is an old thread, it is still very actual. I had an OP complaining about this rightly I think only a few days ago. Yast complains about a signature of the repos changed. Accept - reject?
I can remember very highly moral discussions about

  • why not to log into the gui as root, why not to surf as administrators and
  • why to use software if possible always from trusted repositories.
  • To use as less repos as possible and to control the validity of md5 and sha1 checks for software packages provided.
  • And that there is no need (as we all know) to install an anti-virus since Linux has practically no viruses, since that, troyans and backdoors in counterfeited software, through social engineering are remaining and very real threads.

(And as a note, since you want to have a case on what can happen if you get sluggish on security rules you may have a look what happened on “kernel.org”. Fair enough?).

I went this morning through the search machine of opensuse and of openFate and I found an astonishing number of turned down threads on security asking exactly this, very simple thing: either you create a master key as a CA with a web of trust (that proposal dates back 2(!) years), or a real web of trust between the repos OR / AND you create an SSL page on the website of openSUSE where the “known as good” signatures are listed and the user can make an informed choice. This is IMO a low cost for the project and a high gain in security.

As I do not aspect miracles to happen with the (in my view) better solutions I want to do a point here an advertise a feature that has taken surprisingly only 2 votes (mine included this morning) in openFATE. This proposes to do simply what is needed as a minimal feature, a page with the fingerprints of the gpg keys of the repos. The openFATE feature is https://features.opensuse.org/312047 and I think you should really vote for it. And since you are there, if you are committed to security, maybe you might want to vote also for https://features.opensuse.org/304911 so you may well be on a good way to foster a minimal coherence in the talk about “security and linux”.
Not doing it is in my view like being a medical doctor of the 70th (and in some countries even today) sitting in front of a patient and saying: “you really should stop to smoke” while with taste and satisfaction tipping the cigarette off the ashtray. Isn’t it?

**Please feel free to discuss this point. I did choose this thread because I wanted to point out how old, worn out and overdue this problem is. And I feel it is time to have one annoying question less, that destroys all security education that one does on new users. **

On 2011-11-02 09:06, stakanov wrote:

> I went this morning through the search machine of opensuse and of
> openFate and I found an astonishing number of turned down threads on
> security asking exactly this, very simple thing: either you create a

I know, it is not the first time I post about this.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)

Just voted yes for the feature. Hopefully it will get more publicity. What is even more puzzling is that this problem plagues most of the popular distributions and no one seems to be doing much about this.

Best regards,
Greg

On Wed, 02 Nov 2011 08:06:02 GMT
stakanov <stakanov@no-mx.forums.opensuse.org> wrote:

>
>- why not to log into the gui as root, why not to surf as
> administrators and
>- why to use software if possible always from trusted repositories.
>- To use as less repos as possible and to control the validity of md5
> and sha1 checks for software packages provided.
>- And that there is no need (as we all know) to install an anti-virus
> since Linux has practically no viruses, since that, troyans and
> backdoors in counterfeited software, through social engineering are
> remaining and very real threads.

I think it is still valid to have an anti-virus running and if its only
for sake of protecting other Windows users. After all its a social
thing and we are all connected through the internet. No escape there.

>As I do not aspect miracles to happen with the (in my view) better
>solutions I want to do a point here an advertise a feature that has
>taken surprisingly only 2 votes (mine included this morning) in
>openFATE. This proposes to do simply what is needed as a minimal
>feature, a page with the fingerprints of the gpg keys of the repos.
>The openFATE feature is https://features.opensuse.org/312047 and I
>think you should really vote for it.
And since you are there, if you
>are committed to security, maybe you might want to vote also for
>https://features.opensuse.org/304911 so you may well be on a good way
>to foster a minimal coherence in the talk about “security and linux”.
>Not doing it is in my view like being a medical doctor of the 70th (and
>in some countries even today) sitting in front of a patient and saying:
>“you really should stop to smoke” while with taste and satisfaction
>tipping the cigarette off the ashtray. Isn’t it?

Well, thats why i don’t use openfate right now. There are so many
repositories and i don’t know who created them. Do they get checked?
Right now i only have the standard repositories in my list and i don’t
add other ones.
But the problem lays with the keys itself. If the key is compromised
how will one know that they are compromised.
There are many links in the chain that can be broken and its hard to
ensure safety in the whole chain.
Most of the people if they see a key to import, they import the key
regardless. It makes the whole key thing useless.
At the moment the best one can do is only use repositories (w/key) from
known persons and institutions.


Euer Komputerfriek Joerg
using KDE on 11.4 x64 and happy with a cup of real hot coffee…
Need help? Call 207.252.3.96 (really)

Thanks. I voted for them. I agree with your posts about security being very important, especially considering all the ‘security’ advice given to new users, and the security benefits SuSE has over Windoze.

I do not understand quite your argument. openFATE is not a repo and you can register there exactly the same way you do it here on the forum. It is a website where you can contribute with your ideas and wishes to openSUSE. So nothing to import. There is no “known institution” or “known person” you can import the keys from in the default install. Also the default repos are NOT reliable without a source of key ID as soon as the key that is delivered with the distribution is updated (e.g because outdated). As there is no reliable source (do you have a prior paper printout of the signatures you did import to check them beforehand???) neither on the web, nor in newspapers (regularly published) then you should not use repos at all right? There is always a piece of chain in a web of trust that can be broken. But the fact of having one parachute from time to time that does not open is not an argument for me to take a “known friend or institution” and jump with her/him/it out of door without for a neat little skydive…

Most of the people if they see a key to import, they import the key
regardless. It makes the whole key thing useless.
No, it makes their (the users) security void. And it voids all the security education we do. But it does not invalidate the chain. The chain is not between users in this case but between institutions. If you want to mirror openSUSE on your server as a repo you need to present your key, get it signed by openSUSE in order to be accepted as valid. Then only, you will be able to mirror credibly the distribution. THAT is the web of trust. Then the user can do a choice of trust, a useful choice of trust, ONLY if he as access to a source of reliable fingerprints and key IDs, easily available on the net.
This can be done through “ad” (every ad in a newspaper for openSUSE could bring with it a list of fingerprints and IDs. You can print such list of the backside of the dvd you distribute or you can print it on the inside of the cartoon you use to distribute the DVD. With instructions. All this is easily to achieve.
Please use openFATE website to express your wishes on the distribution (even if you think not to vote for this feature). Because openFATE maikes of this distribution YOUR distribution. Otherwise it stays…a distribution or “their” distribution.
As I sense you have quite some confusion about GnuPG and signatures / web of trust (which is EXACTLY because there is no page in the openSUSE site giving you good information on this issue, I will see if it is necessary to put up an article / blog or what so ever on the issue of signature. I feel that is necessary. Anybody with me to put up a clear howto for repo-signatures?

PS. Joerg, if you do install ClamAV in your system when you have NO windows PCs to protect you LOWER your security level. If you install clamAV from a default repo accepting its (the repos) key without being able to compare it with a reliable source you may even VOID your whole system security. Astonishing no?

Thank you, I appreciate. I think this discussion should really not be neglected any more. If not one day we will loose all credibility if we have a majior case of compromised security of hundreds or more systems due to this negligence. The whole distribution could then take severe damage.

This is not the first time, as others have commented on, that this has happened. The keys do get updated alot. As mentioned, there does not seem to be a way to verify the integrity of the key. This would be good to put in openFATE. We need to have a way to verify the repos and their keys.

On 2011-11-03 15:56, Jonathan R wrote:
>
> This is not the first time, as others have commented on, that this has
> happened. The keys do get updated alot. As mentioned, there does not
> seem to be a way to verify the integrity of the key. This would be good
> to put in openFATE. We need to have a way to verify the repos and their
> keys.

This will not happen til after disaster hits. Nobody learns in advance or
from others - specially if it needs work.


Cheers / Saludos,

Carlos E. R.
(from 11.4 x86_64 “Celadon” at Telcontar)