Create tool for managing RPM package signing keys
an invention by dheidler
Updated over 2 years ago. 2 hacker ♥️. 4 followers.

Project description

IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.

Goal for this Hackweek

The goal is to create a tool to list, add, remove and cleanup keys.

Resources

sh rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system rpm --querytags # rpm list query tags rpm -qi gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info rpm -e gpg-pubkey-ABC123 # remove key

https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010

Outcome

https://github.com/asdil12/zyppkeys

``` $ zypper keys list Key | Added | Vendor ---------------------+---------------------+---------------------------------------------- gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4

```

Looking for hackers with the skills:

rpm security gpg

This project is part of:

Hack Week 22

Activity

  • almost 3 years ago: mkoutny liked this project.
  • almost 3 years ago: jzerebecki liked this project.
  • almost 3 years ago: dheidler started this project.
  • almost 3 years ago: dheidler added keyword "gpg" to this project.
  • almost 3 years ago: dheidler added keyword "security" to this project.
  • almost 3 years ago: dheidler added keyword "rpm" to this project.
  • almost 3 years ago: dheidler originated this project.


    • Comments

    • michals
      almost 3 years ago by michals | Reply

      This internal page documents how to add a repository without the TOFU prompt: https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent

      I am not aware of any public documentation of this.

    • dheidler
      over 2 years ago by dheidler | Reply

      Added final tool

    • dheidler
      over 2 years ago by dheidler | Reply

      https://build.opensuse.org/request/show/1063628

    • dheidler
      over 2 years ago by dheidler | Reply

      The tool is now part of tumbleweed and can be installed like this: zypper in zypper-keys-plugin

    Similar Projects

    A CLI for Harvester by mohamed.belgaied

    Harvester does not officially come with a CLI tool, the user is supposed to interact with Harvester mostly through the UI. Though it is theoretically possible to use kubectl to interact with Harvester, the manipulation of Kubevirt YAML objects is absolutely not user friendly. Inspired by tools like multipass from Canonical to easily and rapidly create one of multiple VMs, I began the development of Harvester CLI. Currently, it works but Harvester CLI needs some love to be up-to-date with Harvester v1.0.2 and needs some bug fixes and improvements as well.

    Project Description

    Harvester CLI is a command line interface tool written in Go, designed to simplify interfacing with a Harvester cluster as a user. It is especially useful for testing purposes as you can easily and rapidly create VMs in Harvester by providing a simple command such as: harvester vm create my-vm --count 5 to create 5 VMs named my-vm-01 to my-vm-05.

    asciicast

    Harvester CLI is functional but needs a number of improvements: up-to-date functionality with Harvester v1.0.2 (some minor issues right now), modifying the default behaviour to create an opensuse VM instead of an ubuntu VM, solve some bugs, etc.

    Github Repo for Harvester CLI: https://github.com/belgaied2/harvester-cli

    Done in previous Hackweeks

    • Create a Github actions pipeline to automatically integrate Harvester CLI to Homebrew repositories: DONE
    • Automatically package Harvester CLI for OpenSUSE / Redhat RPMs or DEBs: DONE

    Goal for this Hackweek

    The goal for this Hackweek is to bring Harvester CLI up-to-speed with latest Harvester versions (v1.3.X and v1.4.X), and improve the code quality as well as implement some simple features and bug fixes.

    Some nice additions might be: * Improve handling of namespaced objects * Add features, such as network management or Load Balancer creation ? * Add more unit tests and, why not, e2e tests * Improve CI * Improve the overall code quality * Test the program and create issues for it

    Issue list is here: https://github.com/belgaied2/harvester-cli/issues

    Resources

    The project is written in Go, and using client-go the Kubernetes Go Client libraries to communicate with the Harvester API (which is Kubernetes in fact). Welcome contributions are:

    • Testing it and creating issues
    • Documentation
    • Go code improvement

    What you might learn

    Harvester CLI might be interesting to you if you want to learn more about:

    • GitHub Actions
    • Harvester as a SUSE Product
    • Go programming language
    • Kubernetes API
    • Kubevirt API objects (Manipulating VMs and VM Configuration in Kubernetes using Kubevirt)