why are we signing RPMs

classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

why are we signing RPMs

Bernhard M. Wiedemann-5
Hi,

when building RPMs in OBS, each of them is signed with a private key
that is kept somewhere in the OBS infrastructure.

But it occurred to me, that this might not actually be needed because we
sign repository metadata using the same keys and that metadata contains
hashes of files, so those are already protected against malicious
modification.

Are there tools, processes or people using those sigs on individual rpms?


The background is, that when trying to reproduce a build to verify that
it is bit-by-bit identical to what was published before, we can only
compare parts of it, because the signature and its timestamp will always
be different.

We could try to strip such information that is known-to-vary

but it also has some appeal to get completely identical results.


Ciao

Bernhard M.
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: why are we signing RPMs

Mathias Homann-2
Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:

> Hi,
>
> when building RPMs in OBS, each of them is signed with a private key
> that is kept somewhere in the OBS infrastructure.
>
> But it occurred to me, that this might not actually be needed because we
> sign repository metadata using the same keys and that metadata contains
> hashes of files, so those are already protected against malicious
> modification.
>
> Are there tools, processes or people using those sigs on individual rpms?

Yup, rpm itself does. It can be set to refuse unsigned RPMs.
You can also check against the digital signature when verifying packages.
Lastly, people can always manually download and install packages without
adding the repositories.

Cheers
Mathias

--
gpg key fingerprint: 5F64 4C92 9B77 DE37 D184  C5F9 B013 44E7 27BD 763C

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: why are we signing RPMs

Adrian Schröter
On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:

> Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
> > Hi,
> >
> > when building RPMs in OBS, each of them is signed with a private key
> > that is kept somewhere in the OBS infrastructure.
> >
> > But it occurred to me, that this might not actually be needed because we
> > sign repository metadata using the same keys and that metadata contains
> > hashes of files, so those are already protected against malicious
> > modification.
> >
> > Are there tools, processes or people using those sigs on individual rpms?
>
> Yup, rpm itself does. It can be set to refuse unsigned RPMs.
> You can also check against the digital signature when verifying packages.
> Lastly, people can always manually download and install packages without
> adding the repositories.

and osc does. It downloads rpm which may not even pubished at that point of
time and validates it (at least when not building in a safe env like kvm)

--

Adrian Schroeter
email: [hidden email]

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton, HRB 21284 (AG Nürnberg)
 
Maxfeldstraße 5                        
90409 Nürnberg
Germany


--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: why are we signing RPMs

Michael Calmer
Hi

Am Montag, 28. November 2016, 09:41:13 schrieb Adrian Schröter:

> On Montag, 28. November 2016, 09:34:04 CET wrote Mathias Homann:
> > Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
> > > Hi,
> > >
> > > when building RPMs in OBS, each of them is signed with a private key
> > > that is kept somewhere in the OBS infrastructure.
> > >
> > > But it occurred to me, that this might not actually be needed because we
> > > sign repository metadata using the same keys and that metadata contains
> > > hashes of files, so those are already protected against malicious
> > > modification.
> > >
> > > Are there tools, processes or people using those sigs on individual
> > > rpms?
> >
> > Yup, rpm itself does. It can be set to refuse unsigned RPMs.
> > You can also check against the digital signature when verifying packages.
> > Lastly, people can always manually download and install packages without
> > adding the repositories.
>
> and osc does. It downloads rpm which may not even pubished at that point of
> time and validates it (at least when not building in a safe env like kvm)

and newer libzypp/zypper/etc. is using it in case the metadata are not signed.

--
Regards

        Michael Calmer

--------------------------------------------------------------------------
Michael Calmer
SUSE LINUX GmbH, Maxfeldstr. 5, D-90409 Nuernberg
T: +49 (0) 911 74053 0
F: +49 (0) 911 74053575  - e-mail: [hidden email]
--------------------------------------------------------------------------
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton,
                     HRB 21284 (AG Nürnberg)

--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: why are we signing RPMs

Jan Engelhardt-4
In reply to this post by Mathias Homann-2

On Monday 2016-11-28 09:34, Mathias Homann wrote:
>Am Montag, 28. November 2016, 05:40:54 CET schrieb Bernhard M. Wiedemann:
>>
>> when building RPMs in OBS, each of them is signed with a private key
>> that is kept somewhere in the OBS infrastructure.
>> But it occurred to me, that this might not actually be needed because we
>> sign repository metadata
>
>Lastly, people can always manually download and install packages without
>adding the repositories.

This is where I need to point out the unsafety of the Debian package format :-)
--
To unsubscribe, e-mail: [hidden email]
To contact the owner, e-mail: [hidden email]