<html><head></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space; "><br><div><div>On Jan 18, 2016, at 5:04 AM, Tomasz Gajc wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite"><div dir="ltr">Hi Jeff, thanks for the detailed info. I have couple of questions, hopefully looking for your answer.<br><div><div class="gmail_extra"><br><div class="gmail_quote">2016-01-16 22:59 GMT+01:00 Jeff Johnson <span dir="ltr"><<a href="mailto:n3npq@mac.com" target="_blank">n3npq@mac.com</a>></span>:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><br><br><div>What remains to be done (in some order) is this:</div><div><br></div><div><span style="white-space:pre-wrap"> </span>1) confirm the non-repudiable signature exists by building a package and verifying</div><div><span style="white-space:pre-wrap"> </span>the signature (using "rpm -qvvp *.rpm" should be sufficient), and that the pubkey is</div><div><span style="white-space:pre-wrap"> </span>contained within every package.</div></div></blockquote><div><br><br></div><div>Which pubkey? OMA or rpmbuild's one ?<br> <br></div></div></div></div></div></blockquote><div><br></div>In this context, I was referring to the non-repudiable pubkey id displayed by</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rpm -qvvp some-freshly-locally-built.rpm</div><div>You will be able to tell from the debugging output which keyid was used, and</div><div>whether the signature verified.</div><div><br><blockquote type="cite"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><br></div><div><span style="white-space:pre-wrap"> </span>2) remove the check for "official" pubkey in urpmi.</div></div></blockquote><div><br></div><div>I do not understand one thing. How user can verify if rpm file which is signed with "one time generated" gpg key is trusted with that virtual-notary certificate ?<br></div><div> </div></div></div></div></div></blockquote><div><br></div>You can go through the download of the manifest and certificate, verify the certificate, find</div><div>the keyid that matches, and then verify the package if the full security protocol is what you wish.</div><div><br></div><div>Meanwhile the security of a mirror from which you downloaded is different than the security</div><div>of the package itself. The pubkey in the *.rpm verifies the package is untampered, the rest of</div><div>the protocol verifies that the mirror contains packages built in cooker.</div><div><br></div><div>(aside)</div><div>There are other protocols that could be designed&used, including registering each set of packages</div><div>built with virtual-notary. The manifest generated when pushing to mirrors is easiest procedurally.</div><div><br></div><div><blockquote type="cite"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><br></div><div><span style="white-space:pre-wrap"> </span>3) create the manifest format to taste including additional identification like the non-repudiable pubkey id</div></div></blockquote><div><br></div><div>I do not understand what non-repudiable means :(<br></div><div> <br></div></div></div></div></div></blockquote><div><br></div>Apologies for the techno jargon (but I am reluctant to invent newer! better! bestest! terms)</div><div><br></div><div>A repudiation is a statement denying some claim like this:</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>Q: Did you modify anything in the package?</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>A: No.</div><div><br></div><div>So a non-repudiable signature is a public/global assertion that nothing whatsoever is changed.</div><div><br></div><div><blockquote type="cite"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><br></div><div><span style="white-space:pre-wrap"> </span>4) register the manifest with <a href="http://virtual-notary.org/" target="_blank">http://virtual-notary.org</a> and get the certificate. confirm that the certificate</div><div><span style="white-space:pre-wrap"> </span>is consistent with the document.</div></div></blockquote><div><br></div><div>What do you mean by manifest ? You mean to notarize a document ?<br><a href="http://virtual-notary.org/dispatch/document/input/">http://virtual-notary.org/dispatch/document/input/</a><br><br></div></div></div></div></div></blockquote><div><br></div>The manifest lists what was published to mirrors. It will be an rpm query of some sort, including</div><div>whatever information is deemed relevant.</div><div><br></div><div>You can think of the manifest document being similar to</div><div><span class="Apple-tab-span" style="white-space:pre"> </span>rpm -qi *.rpm > manifest</div><div>(I believe that includes the keyid used for signing).</div><div><br><blockquote type="cite"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><div> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><br></div><div><span style="white-space:pre-wrap"> </span>5) decide how to add the above steps to the mirroring process, and how to document the procedure.</div></div></blockquote><div><br></div><div>This is very unclear to me. Please elaborate on this more because i'd like to understand how that notary should work.<br><br></div></div></div></div></div></blockquote><div><br></div>There is a need for an extra step before pushing content to mirrors.</div><div><br></div><div>That step generates the manifest on a public site and registers with virtual-notary.</div><div><br></div><div>Virtual-notary retrieves the manifest from the public site, and returns a certificate.</div><div><br></div><div>The manifest and the certificate and the packages listed in the manifest are then pushed to mirrors.</div><div><br></div><div>I do not not enough about your mirroring process to know where/how that set of operations should be added.</div><div><br></div><div>The documentation of the procedure is necessary for soliciting comments/audits</div><div>about flaws/exploits in the procedure, or to describe to an end user how to confirm</div><div>whether a mirror has been compromised.</div><div><br><blockquote type="cite"><div dir="ltr"><div><div class="gmail_extra"><div class="gmail_quote"><div><br> </div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div style="word-wrap:break-word"><div><br></div><div>Apologies for wordiness. Poke me on the irc meeting if you have questions.</div><div><br></div><div>hth</div><div><br></div><div>73 de Jeff</div><span class=""><div><br></div></span></div></blockquote></div><br></div></div></div>
</blockquote></div><br></body></html>