Project description

IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.

Goal for this Hackweek

The goal is to create a tool to list, add, remove and cleanup keys.

Resources

sh rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system rpm --querytags # rpm list query tags rpm -qi gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info rpm -e gpg-pubkey-ABC123 # remove key

https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010

Outcome

https://github.com/asdil12/zyppkeys

$ zypper keys list Key | Added | Vendor ---------------------+---------------------+---------------------------------------------- gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project <network@build.opensuse.… gpg-pubkey-c862b42c | 2023-01-24 10:51:17 | games OBS Project <games@build.opensuse.org> gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens… gpg-pubkey-39db7c82 | 2022-09-12 14:11:42 | SuSE Package Signing Key <build@suse.de> gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens… gpg-pubkey-be1229cf | 2022-09-12 14:38:34 | Microsoft (Release signing) <gpgsecurity@mic… gpg-pubkey-8a7c64f9 | 2022-09-28 11:41:27 | Unsupported <unsupported@suse.de> gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) <packman@links… gpg-pubkey-cbdf5e8f | 2022-09-27 12:05:36 | devel:openQA OBS Project <devel:openQA@build… gpg-pubkey-6a8dce8c | 2022-09-15 10:11:09 | home:dheidler OBS Project <home:dheidler@bui… gpg-pubkey-edf0d733 | 2022-11-12 14:47:56 | devel:languages:python OBS Project <devel:la… gpg-pubkey-a89c3a8a | 2022-09-28 22:49:49 | devel:languages:nodejs OBS Project <devel:la… gpg-pubkey-d6d11ce4 | 2022-12-27 19:51:28 | hardware OBS Project <hardware@build.opensus… gpg-pubkey-72174fc2 | 2023-01-30 10:44:24 | Virtualization OBS Project <Virtualization@b… gpg-pubkey-dcef338c | 2023-01-30 10:44:24 | devel:languages:perl OBS Project <devel:lang… gpg-pubkey-65176565 | 2023-01-30 10:44:24 | openSUSE:Backports OBS Project <openSUSE:Bac… gpg-pubkey-f23c6aa3 | 2023-01-30 10:44:24 | multimedia OBS Project <multimedia@build.ope… gpg-pubkey-780504e9 | 2023-01-30 10:44:24 | X11 OBS Project <X11@build.opensuse.org> gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project <network:chromi… gpg-pubkey-8df63672 | 2023-01-30 10:44:24 | home:mkittler OBS Project <home:mkittler@bui… gpg-pubkey-038651bd | 2023-02-01 12:53:40 | https://packagecloud.io/slacktechnologies/sl… gpg-pubkey-7fac5991 | 2023-02-02 00:00:01 | Google, Inc. Linux Package Signing Key <linu… gpg-pubkey-d38b4796 | 2023-02-02 00:00:01 | Google Inc. (Linux Packages Signing Authorit… gpg-pubkey-33eaab8e | 2023-02-02 00:00:01 | Vivaldi Package Composer KEY09 <packager@viv… gpg-pubkey-4218647e | 2023-02-06 14:51:10 | Vivaldi Package Composer KEY08 <packager@viv… gpg-pubkey-8583c11c | 2023-02-07 14:07:35 | home:dheidler OBS Project <home:dheidler@bui… gpg-pubkey-324e6311 | 2023-02-08 16:52:09 | filesystems OBS Project <filesystems@build.o…

$ zypper keys repokeys -d Repo | Key | Added | Vendor ----------------------------------+---------------------+-------+------------------------- suse_ca | gpg-pubkey-39db7c82 | Yes | SuSE Package Signing Ke… vivaldi | gpg-pubkey-4218647e | Yes | Vivaldi Package Compose… home_dheidler | gpg-pubkey-8583c11c | Yes | home:dheidler OBS Proje… games | gpg-pubkey-c862b42c | Yes | games OBS Project <game… hardware_sdr | gpg-pubkey-d6d11ce4 | Yes | hardware OBS Project <h… download.opensuse.org-oss | gpg-pubkey-29b700a4 | Yes | openSUSE Project Signin… download.opensuse.org-tumbleweed | gpg-pubkey-3dbdc284 | Yes | openSUSE Project Signin… devel-openqa | gpg-pubkey-cbdf5e8f | Yes | devel:openQA OBS Projec… download.opensuse.org-non-oss | gpg-pubkey-29b700a4 | Yes | openSUSE Project Signin… vscode | gpg-pubkey-be1229cf | Yes | Microsoft (Release sign… slack | gpg-pubkey-038651bd | Yes | https://packagecloud.io… filesystems | gpg-pubkey-324e6311 | Yes | filesystems OBS Project… openh264 | gpg-pubkey-3dbdc284 | Yes | openSUSE Project Signin…

``` $ zypper keys show gpg-pubkey-29b700a4

Information for key gpg-pubkey-29b700a4:

Key : gpg-pubkey-29b700a4 Added : 2022-09-12 14:11:42 Vendor : openSUSE Project Signing Key opensuse@opensuse.org Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4

```