Re: trust update servers?

On Fri, 28 Sep 2007, houghi wrote:-

David Bolt wrote:
To check it, all you need to do is import it into your own GPG key-ring.
If/when you do, you should see something like this:

davjam@adder:/local/temp> gpg --import gpg-pubkey-9c800aca-40d8063e.asc
gpg: key 9C800ACA: "SuSE Package Signing Key <build@xxxxxxx>" 2 new
signatures
gpg: Total number processed: 1
gpg: new signatures: 2
gpg: 3 marginal(s) needed, 1 complete(s) needed, PGP trust model
gpg: depth: 0 valid: 1 signed: 0 trust: 0-, 0q, 0n, 0m, 0f, 1u

I can make a key that says identiefies itself with the same, so you are
missing a step.

I did. You also need to check the signatures[0], check the signatures on
the keys that signed the build key, etc.

Either that or you import the key from trusted media. That key has been
used to create RPM signatures since 2000-10-19[1], so will have been
included on the various media released since then. There have been
additional signatures added to the key, but that key is basically the
same as when it was created. All you need to do is to find an
installation CD/DVD that SuSE/SUSE/Novell have produced within the last
7 years and import the key from there.

However it is very unlikely that a mirror will do
something like that.

Not themselves. Doesn't mean that someone couldn't hack a mirror, and
make all the required changes to the various files just so they can add
their own key as a replacement. Of course, once the replacement key is
imported and trusted...


[1] It also expires on 2008-06-21 which means that they'll be producing
a new, replacement key just in time for the release of 11.0 . That's
going to be fun. All that potential for loads of warning when upgrades
are taking place due to the signing keys not matching :-)

Regards,
David Bolt

--
Member of Team Acorn checking nodes at 100 Mnodes/s: www.distributed.net
RISC OS 3.11 | SUSE 10.0 32bit | SUSE 10.1 32bit | openSUSE 10.2 32bit
RISC OS 3.6 | SUSE 10.0 64bit | SUSE 10.1 64bit | openSUSE 10.2 64bit
TOS 4.02 | SUSE 9.3 32bit | | openSUSE 10.3b2 32bit
.

Relevant Pages

  • Re: public key
    ... Okay, I've created my public key with gpg, how can I get mutt to use it ... but maybe I meet with Ron and exchange signatures and ... Ron meets you and exchange signatures. ...
    (Debian-User)
  • Re: backports
    ... You have to tell gpg which key's signatures it should check. ... These keys are not included in debian-backports-keyring.gpg ... I suppose that you can check that Joerg Jaspert is a Debian developer by ...
    (Debian-User)
  • Re: Invalid signature errors, CPAN, gpg
    ... I used CPAN because it did all the interdependencies for me so I wouldn't have to manually install every module. ... gpg: ... the problem of verifying gpg signatures is avoided. ...
    (comp.lang.perl.modules)
  • Re: [SLE] apt-get error
    ... Look in de suse-linux-e list and look for APT/Synaptic and GPG ... >I want to install kmldonkey via apt-get to ftp.gwdg.de, but I get an error as ... >Need to get 3579kB of archives. ... >Checking GPG signatures... ...
    (SuSE)