Create tool for managing RPM package signing keys
an invention by dheidler
Updated about 1 year ago. 2 hacker ♥️. 4 followers.

Project description

IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.

Goal for this Hackweek

The goal is to create a tool to list, add, remove and cleanup keys.

Resources

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system
rpm --querytags # rpm list query tags
rpm -qi  gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info
rpm -e gpg-pubkey-ABC123 # remove key

https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010

Outcome

https://github.com/asdil12/zyppkeys

$ zypper keys list
 Key                 | Added               | Vendor
---------------------+---------------------+----------------------------------------------
 gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project <network@build.opensuse.…
 gpg-pubkey-c862b42c | 2023-01-24 10:51:17 | games OBS Project <games@build.opensuse.org>
 gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
 gpg-pubkey-39db7c82 | 2022-09-12 14:11:42 | SuSE Package Signing Key <build@suse.de>
 gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
 gpg-pubkey-be1229cf | 2022-09-12 14:38:34 | Microsoft (Release signing) <gpgsecurity@mic…
 gpg-pubkey-8a7c64f9 | 2022-09-28 11:41:27 | Unsupported <unsupported@suse.de>
 gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) <packman@links…
 gpg-pubkey-cbdf5e8f | 2022-09-27 12:05:36 | devel:openQA OBS Project <devel:openQA@build…
 gpg-pubkey-6a8dce8c | 2022-09-15 10:11:09 | home:dheidler OBS Project <home:dheidler@bui…
 gpg-pubkey-edf0d733 | 2022-11-12 14:47:56 | devel:languages:python OBS Project <devel:la…
 gpg-pubkey-a89c3a8a | 2022-09-28 22:49:49 | devel:languages:nodejs OBS Project <devel:la…
 gpg-pubkey-d6d11ce4 | 2022-12-27 19:51:28 | hardware OBS Project <hardware@build.opensus…
 gpg-pubkey-72174fc2 | 2023-01-30 10:44:24 | Virtualization OBS Project <Virtualization@b…
 gpg-pubkey-dcef338c | 2023-01-30 10:44:24 | devel:languages:perl OBS Project <devel:lang…
 gpg-pubkey-65176565 | 2023-01-30 10:44:24 | openSUSE:Backports OBS Project <openSUSE:Bac…
 gpg-pubkey-f23c6aa3 | 2023-01-30 10:44:24 | multimedia OBS Project <multimedia@build.ope…
 gpg-pubkey-780504e9 | 2023-01-30 10:44:24 | X11 OBS Project <X11@build.opensuse.org>
 gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project <network:chromi…
 gpg-pubkey-8df63672 | 2023-01-30 10:44:24 | home:mkittler OBS Project <home:mkittler@bui…
 gpg-pubkey-038651bd | 2023-02-01 12:53:40 | https://packagecloud.io/slacktechnologies/sl…
 gpg-pubkey-7fac5991 | 2023-02-02 00:00:01 | Google, Inc. Linux Package Signing Key <linu…
 gpg-pubkey-d38b4796 | 2023-02-02 00:00:01 | Google Inc. (Linux Packages Signing Authorit…
 gpg-pubkey-33eaab8e | 2023-02-02 00:00:01 | Vivaldi Package Composer KEY09 <packager@viv…
 gpg-pubkey-4218647e | 2023-02-06 14:51:10 | Vivaldi Package Composer KEY08 <packager@viv…
 gpg-pubkey-8583c11c | 2023-02-07 14:07:35 | home:dheidler OBS Project <home:dheidler@bui…
 gpg-pubkey-324e6311 | 2023-02-08 16:52:09 | filesystems OBS Project <filesystems@build.o…

 $ zypper keys repokeys -d
 Repo                             | Key                 | Added | Vendor
----------------------------------+---------------------+-------+-------------------------
 suse_ca                          | gpg-pubkey-39db7c82 | Yes   | SuSE Package Signing Ke…
 vivaldi                          | gpg-pubkey-4218647e | Yes   | Vivaldi Package Compose…
 home_dheidler                    | gpg-pubkey-8583c11c | Yes   | home:dheidler OBS Proje…
 games                            | gpg-pubkey-c862b42c | Yes   | games OBS Project <game…
 hardware_sdr                     | gpg-pubkey-d6d11ce4 | Yes   | hardware OBS Project <h…
 download.opensuse.org-oss        | gpg-pubkey-29b700a4 | Yes   | openSUSE Project Signin…
 download.opensuse.org-tumbleweed | gpg-pubkey-3dbdc284 | Yes   | openSUSE Project Signin…
 devel-openqa                     | gpg-pubkey-cbdf5e8f | Yes   | devel:openQA OBS Projec…
 download.opensuse.org-non-oss    | gpg-pubkey-29b700a4 | Yes   | openSUSE Project Signin…
 vscode                           | gpg-pubkey-be1229cf | Yes   | Microsoft (Release sign…
 slack                            | gpg-pubkey-038651bd | Yes   | https://packagecloud.io…
 filesystems                      | gpg-pubkey-324e6311 | Yes   | filesystems OBS Project…
 openh264                         | gpg-pubkey-3dbdc284 | Yes   | openSUSE Project Signin…

$ zypper keys show gpg-pubkey-29b700a4

Information for key gpg-pubkey-29b700a4:
----------------------------------------
Key          : gpg-pubkey-29b700a4
Added        : 2022-09-12 14:11:42
Vendor       : openSUSE Project Signing Key <opensuse@opensuse.org>
Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4

Looking for hackers with the skills:

rpm security gpg

This project is part of:

Hack Week 22

Activity

  • about 1 year ago: mkoutny liked this project.
  • about 1 year ago: jzerebecki liked this project.
  • about 1 year ago: dheidler started this project.
  • about 1 year ago: dheidler added keyword "gpg" to this project.
  • about 1 year ago: dheidler added keyword "security" to this project.
  • about 1 year ago: dheidler added keyword "rpm" to this project.
  • about 1 year ago: dheidler originated this project.


    • Comments

    • michals
      about 1 year ago by michals | Reply

      This internal page documents how to add a repository without the TOFU prompt: https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent

      I am not aware of any public documentation of this.

    • dheidler
      about 1 year ago by dheidler | Reply

      Added final tool

    • dheidler
      about 1 year ago by dheidler | Reply

      https://build.opensuse.org/request/show/1063628

    • dheidler
      about 1 year ago by dheidler | Reply

      The tool is now part of tumbleweed and can be installed like this: zypper in zypper-keys-plugin

    Similar Projects

    A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon

    [comment]: # (Please use the project descriptio...

    LSP server for SPEC files by mcepl

    Has anybody ever heard about RPM Spec LSP serve...

    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...

    Investigate zypper/openSUSE repository refresh optimisations by dirkmueller

    [comment]: # (Please use the project descriptio...

    Tumbleweed support for Raspberry Pi 4 with Quad SATA HAT by jbaier_cz

    [comment]: # (Please use the project descriptio...

    Predefined app security policy template for NeuVector by feih

    Project Description

    Idea is to predefin...

    Model checking the BPF verifier by shunghsiyu

    Project Description

    BPF verifier plays a ...

    Port NeuVector zero-trust security functions to host/VM by feih

    Project Description

    Today, NeuVector on...