How to verify new signing keys ?

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

How to verify new signing keys ?

Martin Koller
Hi,

a general question:
When "zypper ref" tells me e.g.

New repository or package signing key received:

  Repository:       isv:ownCloud:desktop
  Key Name:         isv:ownCloud OBS Project <isv:[hidden email]>
  Key Fingerprint:  1B07204C D71B690D 409F57D2 4ABE1AC7 557BEFF9
  Key Created:      So 25 Sep 2016 23:09:22 CEST
  Key Expires:      Di 04 Dez 2018 22:09:22 CET
  Rpm Name:         gpg-pubkey-557beff9-57e83d02

what is the correct and most reliable/secure way to check if I can trust this key ?

I thought ok, let's check the OBS Webpages of this repo ...
https://build.opensuse.org/project/show/isv:ownCloud:desktop
but I found no hint about signing keys.

--
Best regards/Schöne Grüße

Martin
A: Because it breaks the logical sequence of discussion
Q: Why is top posting bad?

()  ascii ribbon campaign - against html e-mail
/\                        - against proprietary attachments

Geschenkideen, Accessoires, Seifen, Kulinarisches: www.lillehus.at
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: How to verify new signing keys ?

Marcus Meissner
On Sat, Oct 01, 2016 at 10:04:27PM +0200, Martin Koller wrote:

> Hi,
>
> a general question:
> When "zypper ref" tells me e.g.
>
> New repository or package signing key received:
>
>   Repository:       isv:ownCloud:desktop
>   Key Name:         isv:ownCloud OBS Project <isv:[hidden email]>
>   Key Fingerprint:  1B07204C D71B690D 409F57D2 4ABE1AC7 557BEFF9
>   Key Created:      So 25 Sep 2016 23:09:22 CEST
>   Key Expires:      Di 04 Dez 2018 22:09:22 CET
>   Rpm Name:         gpg-pubkey-557beff9-57e83d02
>
> what is the correct and most reliable/secure way to check if I can trust this key ?
>
> I thought ok, let's check the OBS Webpages of this repo ...
> https://build.opensuse.org/project/show/isv:ownCloud:desktop
> but I found no hint about signing keys.

You can use

osc signkey isv:ownCloud:desktop

Which will retrieve it from api.opensuse.org over HTTPS.

Ciao, Marcus
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]