Searched around in the man pages and on the net, but didn’t really come up with an answer.
I understood there are 2 types of signing keys. One for signing the repo and another for signing the rpm package. I think zypper will prompt (unless overwritten by option) if anything is wrong with repo key. But obviously zypper has no options regarding handling of package signing keys,
Documentation (rpmkeys(8) says that package keys are installed in packages named gpg-pubkeys*. However no such package seems to exist in default OpenSUSE 13.1 repos.
Instead I found package openSUSE-build-key
$ zypper info openSUSE-build-key
...
Information for package openSUSE-build-key:
-------------------------------------------
Repository: openSUSE-13.1-Oss
Name: openSUSE-build-key
Version: 1.0-24.1.2
Arch: noarch
Vendor: openSUSE
Installed: Yes
Status: up-to-date
Installed Size: 4.8 KiB
Summary: The public gpg keys for rpm package signature verification
Description:
This package contains the gpg keys that are used to sign the
openSUSE rpm packages. The keys installed here are not actually
used by anything. rpm/zypper use the keys in the rpm db instead.
Hmm, these keys are not used, weird. So why are they installed then in the first place? So what is in rpm db? There is a rpmdb(8) page but helps as little as rpmkeys(8).
This topic almost certainly requires better documentation, cannot imagine that I missed so much… I have the feeling somebody as done a major rewrite of the related code, but not touched the documentation.
This .drpm package is signed by a key with id 0x3dbdc284, the openSUSE key.
file-magic-5.14 is now patched with this .drpm package
The resulting (patched) file is:
file-magic-5.15-4.10.1.x86_64.rpm
You can find this file in /var/cache/zypp/packages/repo-update/x86_64 if you use zypper like this:
zypper up -D --skip-interactive
This .rpm file is now installed, but carries a signature created by an unknown key: 0xb3fd7e48
Unfortunately, this key cannot be found on the MIT key server:
gpg --keyserver pgp.mit.edu --recv-key 0xb3fd7e48
For now I assume that the patch (.drpm) was created against a file signed with key 0xb3fd7e48, so the resulting .rpm package (after patching it) is also signed by that (unknown) key.
I sure hope that this is not reason enough to believe that the servers have been compromised and need to be rebuild from scratch… Keeping my fingers crossed…
I think the files on the update servers are still signed with key 0x3dbdc284 (.drpm packages).
After applying the patch, the resulting .rpm package is singed with an unkown key (0xb3fd7e48). I couldn’t quickly find any .rpm package from today on the update servers.
It seems to me, there is something weird going on.
Same problem with openSUSE 12.3 this morning: several delta rpm files produced NOKEY errors:
libMagickCore5-6.7.8.8-4.9.1
libmagic-data-5.11-12.6.1
libssh4-0.5.3-2.4.1 (!!!)
libMagickWand5-6.7.8.8-4.9.1
libmagic1-5.11-12.6.1
ImageMagick-6.7.8.8-4.9.1
file-5.11-12.6.1
libMagick++5-6.7.8.8-4.9.1
My update repo url is http://download.opensuse.org/update/12.3/
All the problematic files were claimed to originate from there, but when I searched via http (Browser) in that repo, none of the drpm versions was there.
I sure do not want questionable ssh/file/ImageMagick packages, so I did a “zypper clean -a” and then “zypper ref” to rebuild the caches.
After that I reinstalled all suspicious packages (zypper in -f …), without any error message. All versions are back to official versions (double checked and verified via http://software.opensuse.org/).
No. But apparently something went wrong with those updates. Normally the packages should get re-signed with the update repo’s key, but that didn’t happen in this case. So they are still signed with some internal openSUSE:Maintenance key.
I also downgraded those packages to previous versions. But libmagic1 and file-magic seem to be used almost everywhere. e.g. in zypper. So the command to remove the packages used that stuff. So if this was an attack then we would be f#cked anyway…
But how can it be that packages with wrong or missing signatures can be installed by zypper? I would assume the most basic unit test for such code and the most important one is if packages with wrong or missing signatures are refused. How can it be that zypper installs those. That is just something that must not happen, ever. I very much like suse, but if package management code can end up in production that did not pass such a unit test or if such unit tests do not exist, then I have to switch…
Because zypper checks the repo metadata signature. If the repo maintainer has signed the metadata describing the package it is considered trusted, even if the package signing key is not. So it’s the responsibility of the repo maintainer not include bad packages into the repo.
Not really the cleanest design, using 2 levels of signing, but only relying on one and warning on the other. No security issue as far as I see in this moment if you are aware that you trust the repo maintainer, but a source for confusion. And given the fact the users are always the weakest point in all signing, PKI etc, it’s not a good idea to confuse them even further…
I guess historical reasons, because rpm existed before zypper AFAIK.
Well, actually it is rpm that checks the signature, not zypper.
So I guess the behaviour should be the same on other rpm-based distros.
And yes, it is true that rpm only prints a warning if the key is unknown.
But if the signature is wrong/invalid, it will refuse to install the package AFAIK.
If you consider this a bug, you should report it at http://bugzilla.novell.com/ (same username/password as here).
The main integrity checking of our repositories is the gpg signature of repomd.xml (repomd.xml.asc) and the chain of sha256 signatures to all the other XML and .RPM files from that file.
The RPM signature is secondary and currently not checked.
The problem was that the updated RPMs did not get resigned correctly in the release process on March 13th due to a bug in the OBS.
I have removed the erronous updates and will be respooling them in the next days.