Bugzilla – Bug 858408
provide repositroy keys signed by a common obs master key
Last modified: 2014-01-13 08:41:36 UTC
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.7; rv:26.0) Gecko/20100101 Firefox/26.0 The situation about repository keys at opensuse.org is at the moment a bit confusing as every repo has its own key. It is a major security risk having to accredit an own independent key for every piece of new software (in contrast to updated sw and sw from the same repo.). All repo-keys should at least be signed by a common obs master key to accredit that a certain package has in deed been compiled by the obs and is in deed downloaded from the opensuses obs. Furthermore repos that are not world-writable i.e. where only openSUSE staff has commit access should be signed by further keys. That way accrediting a new, just downloaded repo key will be much more secure provided that zypper will show all authorities that have issued a signature on the given public key. Reproducible: Always
Since every project is maintained by different people we need a seperate key. Otherwise the security riscs would not be handable at all. The official openSUSE repos (which contain only reviewed submissions) have the same official key. You can verify the key by using "osc signkey $PROJECT", it uses a secured SSL connection and shows the key used by the project owner. It can also be imported into rpm, if you trust the project. It is correct that we have no system yet to sign other peoples keys within OBS, but it can be done outside of OBS.