[OM Cooker] Trusted RPM packages
Jeff Johnson
n3npq at mac.com
Mon Jan 18 05:56:59 EST 2016
On Jan 18, 2016, at 5:04 AM, Tomasz Gajc wrote:
> Hi Jeff, thanks for the detailed info. I have couple of questions, hopefully looking for your answer.
>
> 2016-01-16 22:59 GMT+01:00 Jeff Johnson <n3npq at mac.com>:
>
>
> What remains to be done (in some order) is this:
>
> 1) confirm the non-repudiable signature exists by building a package and verifying
> the signature (using "rpm -qvvp *.rpm" should be sufficient), and that the pubkey is
> contained within every package.
>
>
> Which pubkey? OMA or rpmbuild's one ?
>
In this context, I was referring to the non-repudiable pubkey id displayed by
rpm -qvvp some-freshly-locally-built.rpm
You will be able to tell from the debugging output which keyid was used, and
whether the signature verified.
>
> 2) remove the check for "official" pubkey in urpmi.
>
> I do not understand one thing. How user can verify if rpm file which is signed with "one time generated" gpg key is trusted with that virtual-notary certificate ?
>
You can go through the download of the manifest and certificate, verify the certificate, find
the keyid that matches, and then verify the package if the full security protocol is what you wish.
Meanwhile the security of a mirror from which you downloaded is different than the security
of the package itself. The pubkey in the *.rpm verifies the package is untampered, the rest of
the protocol verifies that the mirror contains packages built in cooker.
(aside)
There are other protocols that could be designed&used, including registering each set of packages
built with virtual-notary. The manifest generated when pushing to mirrors is easiest procedurally.
>
> 3) create the manifest format to taste including additional identification like the non-repudiable pubkey id
>
> I do not understand what non-repudiable means :(
>
Apologies for the techno jargon (but I am reluctant to invent newer! better! bestest! terms)
A repudiation is a statement denying some claim like this:
Q: Did you modify anything in the package?
A: No.
So a non-repudiable signature is a public/global assertion that nothing whatsoever is changed.
>
> 4) register the manifest with http://virtual-notary.org and get the certificate. confirm that the certificate
> is consistent with the document.
>
> What do you mean by manifest ? You mean to notarize a document ?
> http://virtual-notary.org/dispatch/document/input/
>
The manifest lists what was published to mirrors. It will be an rpm query of some sort, including
whatever information is deemed relevant.
You can think of the manifest document being similar to
rpm -qi *.rpm > manifest
(I believe that includes the keyid used for signing).
>
>
> 5) decide how to add the above steps to the mirroring process, and how to document the procedure.
>
> This is very unclear to me. Please elaborate on this more because i'd like to understand how that notary should work.
>
There is a need for an extra step before pushing content to mirrors.
That step generates the manifest on a public site and registers with virtual-notary.
Virtual-notary retrieves the manifest from the public site, and returns a certificate.
The manifest and the certificate and the packages listed in the manifest are then pushed to mirrors.
I do not not enough about your mirroring process to know where/how that set of operations should be added.
The documentation of the procedure is necessary for soliciting comments/audits
about flaws/exploits in the procedure, or to describe to an end user how to confirm
whether a mirror has been compromised.
>
>
>
> Apologies for wordiness. Poke me on the irc meeting if you have questions.
>
> hth
>
> 73 de Jeff
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://ml.openmandriva.org/pipermail/om-cooker_ml.openmandriva.org/attachments/20160118/533f624f/attachment-0001.html>
More information about the OM-Cooker
mailing list