[OM Cooker] Trusted RPM packages

Tomasz Gajc tpgxyz at gmail.com
Mon Jan 18 05:04:16 EST 2016


Hi Jeff, thanks for the detailed info. I have couple of questions,
hopefully looking for your answer.

2016-01-16 22:59 GMT+01:00 Jeff Johnson <n3npq at mac.com>:

>
>
> What remains to be done (in some order) is this:
>
> 1) confirm the non-repudiable signature exists by building a package and
> verifying
> the signature (using "rpm -qvvp *.rpm" should be sufficient), and that the
> pubkey is
> contained within every package.
>


Which pubkey? OMA or rpmbuild's one ?


>
> 2) remove the check for "official" pubkey in urpmi.
>

I do not understand one thing. How user can verify if rpm file which is
signed with "one time generated" gpg key is trusted with that
virtual-notary certificate ?


>
> 3) create the manifest format to taste including additional identification
> like the non-repudiable pubkey id
>

I do not understand what non-repudiable means :(


>
> 4) register the manifest with http://virtual-notary.org and get the
> certificate. confirm that the certificate
> is consistent with the document.
>

What do you mean by manifest ? You mean to notarize a document ?
http://virtual-notary.org/dispatch/document/input/



>
> 5) decide how to add the above steps to the mirroring process, and how to
> document the procedure.
>

This is very unclear to me. Please elaborate on this more because i'd like
to understand how that notary should work.




>
> Apologies for wordiness. Poke me on the irc meeting if you have questions.
>
> hth
>
> 73 de Jeff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.openmandriva.org/pipermail/om-cooker_ml.openmandriva.org/attachments/20160118/38e63842/attachment.html>


More information about the OM-Cooker mailing list