Should Fedora rpms be signed? Yes...resign and rsync...

Nifty Hat Mitch mitch48 at sbcglobal.net
Sat Oct 30 04:59:29 UTC 2004


A cast of thousands....  wrote:

Most people think that yes is the right answer.  The question is how
to get there without compromising the RH key management and slowing
the process.

> > > If Red Hat can use one of these methods, they can easily do both (It's
> > > seems).
.....
> Since rawhide have some unsigned packages I like to know which package
> is not signed and I sign them with my key (so yum always have
> "gpgcheck=1") :
> I mirror rawhide in the i386 directory with rsync, and then I sign
> package that miss gpg.
> Note, I don't sign (that is, change) any package in i386 directory
> (rsync does not like this).

The comment about rsync is interesting.

The question may be: 
    How does rsync like a package being signed or better yet resigned
    at some later time?

As I understand it the gpg signature is a modest structure and
resigning an rpm does not so badly mess up a file that rsync cannot
optimize the change as long as the keys have the same length.

To test I picked on something big and network rude to change and test.
Thus...

Grab the original and make a copy.
  $ cp  /var/spool/up2date/openoffice.org-1.1.2-10.fc2.src.rpm .

  $ ls -l up2date/openoffice.org-1.1.2-10.fc2.src.rpm
  .... 179025625 Oct 22 09:04 openoffice.org-1.1.2-10.fc2.src.rpm

  $ cp  openoffice.org-1.1.2-10.fc2.src.rpm     bar.rpm

Now resign the original
  $ rpm --resign  openoffice.org-1.1.2-10.fc2.src.rpm
  Enter pass phrase:
  Pass phrase is good.
  openoffice.org-1.1.2-10.fc2.src.rpm:

Now compare the two files.
  $ cmp -l openoffice.org-1.1.2-10.fc2.src.rpm bar.rpm |  wc
      108     324    1944

Looking at the output of cmp Bytes 231--417 change

Check and rpm does the expected.

    $ rpm -Kv openoffice.org-1.1.2-10.fc2.src.rpm bar.rpm
    openoffice.org-1.1.2-10.fc2.src.rpm:
	Header V3 DSA signature: NOKEY, key ID 0f31a698
	Header SHA1 digest: OK (2d788eccf1c994a88303fbc9a3e4efbed3d1525a)
	MD5 digest: OK (1f472d22bc7042d386fb603babbadee7)
	V3 DSA signature: NOKEY, key ID 0f31a698
    bar.rpm:
	Header V3 DSA signature: OK, key ID 4f2a6fd2
	Header SHA1 digest: OK (2d788eccf1c994a88303fbc9a3e4efbed3d1525a)
	MD5 digest: OK (1f472d22bc7042d386fb603babbadee7)
	V3 DSA signature: OK, key ID 4f2a6fd2

This tells me that any personal package builder key can be used
and later the dude with the big key can resign the packages
with little network impact.  Unimported keys like mine will
look like NOKEY line above.  SHA1 header is a constant
as is MD5.

Later in the day or on Monday morning....
The guy with the big key ring can verify that the package was signed
by someone he knows and resign it with a famous rawhide key.

This way all packages will always be signed.
This way the famous RH rawhide key has a very short list of keepers.
This way modest changes by resigning can be propagated by rsync.
This way packages can get signed by RH eventually.

Those of us that are impatient can install a package --nosig 
as we do today even if the engineer signatures are not published.

What did I miss beyond the detail that not all the world uses rsync
for mirrors.

-- 
	T o m  M i t c h e l l 
	May your cup runneth over with goodness and mercy
	and may your buffers never overflow.




More information about the test mailing list