GPG-pubkeys

Basil Chupin blchupin at tpg.com.au
Mon Sep 11 08:28:21 PDT 2006 

linux_learner wrote:

> On 9/11/06, Basil Chupin <blchupin at tpg.com.au> wrote:
>> Christoph Thiel wrote:
>> > On Sat, 9 Sep 2006, Basil Chupin wrote:
>> >
>> >> Further to the earlier thread, "F**** annoying unavailable keys", 
>> but on
>> >> a slightly different tack, is there a way to make smart to simply
>> >> *accept* an offered gpg-key when smart is upgrading a package rather
>> >> than have it sit like a shag on a rock waiting for me (for example) to
>> >> click on YES so that smart can continue with the download of the
>> >> package?
>> >
>> > This would render any kind of key checking useless, as smart would 
>> accept
>> > any key that's available on the configured keyserver.
>> >
>> > I'm currently looking into enabling -y / --yes to work with key 
>> checking
>> > as well, so you could just use "smart upgrade -y" then... however, it's
>> > just like completly turning of key checking in the end.
>>
>> I am just a bit lost here....
>>
>> I don't remember having to accept a gpg-key from each and every source
>> of upgrades for my OS (SUSE) but only 2 or possibly 3 sites had to have
>> their gpgs accepted or rejected (but who in their right mind would do
>> that anyway?). So, what is the big deal about these gpg-keys when they
>> are not universally used?
>>
>> Or have I missed something (more than likely!) and the use of gpg-keys
>> is an integral part of any upgrades from any source and smart just will
>> not so any upgrades unless the necessary key is accepted?
>>
>> I simply don't know how or why these keys play such a "vital" role in
>> smart's upgrade process.

 > Not just in smart's role, but in yum, apt, YaST, even email. Microsoft
 > also uses something like it. They call it ActiveX. ActiveX is nowhere
 > near as good as gpg. This is a security feature to make sure that
 > things are recieved as they are sent. For example, If someone gets the
 > package and alters it, and then resubmits it to the site, the gpg key
 > (iirc) becomes broken and invalid.

But hold on here, and this is where I may be getting a bit confus-ed, 
the gpg-key is not associated with an indvidual package but with a 
source site. An individual package would have the checksum to make sure 
that it wasn't monkeyed around with either during transmission or by 
someone altering the original.

Am I wrong in thinking that the gpg-key concerns a source site - which 
is why I stated that I don't recall having to accept gpg-keys for all 
the SUSE repositories or all the mirrors in the smart's list of sources?

Cheers.


-- 
This computer is environment-friendly and is running on OpenSuSE 10.1

More information about the Smart mailing list