Project description
IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.
Goal for this Hackweek
The goal is to create a tool to list, add, remove and cleanup keys.
Resources
rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system
rpm --querytags # rpm list query tags
rpm -qi gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info
rpm -e gpg-pubkey-ABC123 # remove key
https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010
Outcome
https://github.com/asdil12/zyppkeys
$ zypper keys list
Key | Added | Vendor
---------------------+---------------------+----------------------------------------------
gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project <network@build.opensuse.…
gpg-pubkey-c862b42c | 2023-01-24 10:51:17 | games OBS Project <games@build.opensuse.org>
gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
gpg-pubkey-39db7c82 | 2022-09-12 14:11:42 | SuSE Package Signing Key <build@suse.de>
gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
gpg-pubkey-be1229cf | 2022-09-12 14:38:34 | Microsoft (Release signing) <gpgsecurity@mic…
gpg-pubkey-8a7c64f9 | 2022-09-28 11:41:27 | Unsupported <unsupported@suse.de>
gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) <packman@links…
gpg-pubkey-cbdf5e8f | 2022-09-27 12:05:36 | devel:openQA OBS Project <devel:openQA@build…
gpg-pubkey-6a8dce8c | 2022-09-15 10:11:09 | home:dheidler OBS Project <home:dheidler@bui…
gpg-pubkey-edf0d733 | 2022-11-12 14:47:56 | devel:languages:python OBS Project <devel:la…
gpg-pubkey-a89c3a8a | 2022-09-28 22:49:49 | devel:languages:nodejs OBS Project <devel:la…
gpg-pubkey-d6d11ce4 | 2022-12-27 19:51:28 | hardware OBS Project <hardware@build.opensus…
gpg-pubkey-72174fc2 | 2023-01-30 10:44:24 | Virtualization OBS Project <Virtualization@b…
gpg-pubkey-dcef338c | 2023-01-30 10:44:24 | devel:languages:perl OBS Project <devel:lang…
gpg-pubkey-65176565 | 2023-01-30 10:44:24 | openSUSE:Backports OBS Project <openSUSE:Bac…
gpg-pubkey-f23c6aa3 | 2023-01-30 10:44:24 | multimedia OBS Project <multimedia@build.ope…
gpg-pubkey-780504e9 | 2023-01-30 10:44:24 | X11 OBS Project <X11@build.opensuse.org>
gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project <network:chromi…
gpg-pubkey-8df63672 | 2023-01-30 10:44:24 | home:mkittler OBS Project <home:mkittler@bui…
gpg-pubkey-038651bd | 2023-02-01 12:53:40 | https://packagecloud.io/slacktechnologies/sl…
gpg-pubkey-7fac5991 | 2023-02-02 00:00:01 | Google, Inc. Linux Package Signing Key <linu…
gpg-pubkey-d38b4796 | 2023-02-02 00:00:01 | Google Inc. (Linux Packages Signing Authorit…
gpg-pubkey-33eaab8e | 2023-02-02 00:00:01 | Vivaldi Package Composer KEY09 <packager@viv…
gpg-pubkey-4218647e | 2023-02-06 14:51:10 | Vivaldi Package Composer KEY08 <packager@viv…
gpg-pubkey-8583c11c | 2023-02-07 14:07:35 | home:dheidler OBS Project <home:dheidler@bui…
gpg-pubkey-324e6311 | 2023-02-08 16:52:09 | filesystems OBS Project <filesystems@build.o…
$ zypper keys repokeys -d
Repo | Key | Added | Vendor
----------------------------------+---------------------+-------+-------------------------
suse_ca | gpg-pubkey-39db7c82 | Yes | SuSE Package Signing Ke…
vivaldi | gpg-pubkey-4218647e | Yes | Vivaldi Package Compose…
home_dheidler | gpg-pubkey-8583c11c | Yes | home:dheidler OBS Proje…
games | gpg-pubkey-c862b42c | Yes | games OBS Project <game…
hardware_sdr | gpg-pubkey-d6d11ce4 | Yes | hardware OBS Project <h…
download.opensuse.org-oss | gpg-pubkey-29b700a4 | Yes | openSUSE Project Signin…
download.opensuse.org-tumbleweed | gpg-pubkey-3dbdc284 | Yes | openSUSE Project Signin…
devel-openqa | gpg-pubkey-cbdf5e8f | Yes | devel:openQA OBS Projec…
download.opensuse.org-non-oss | gpg-pubkey-29b700a4 | Yes | openSUSE Project Signin…
vscode | gpg-pubkey-be1229cf | Yes | Microsoft (Release sign…
slack | gpg-pubkey-038651bd | Yes | https://packagecloud.io…
filesystems | gpg-pubkey-324e6311 | Yes | filesystems OBS Project…
openh264 | gpg-pubkey-3dbdc284 | Yes | openSUSE Project Signin…
$ zypper keys show gpg-pubkey-29b700a4
Information for key gpg-pubkey-29b700a4:
----------------------------------------
Key : gpg-pubkey-29b700a4
Added : 2022-09-12 14:11:42
Vendor : openSUSE Project Signing Key <opensuse@opensuse.org>
Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4
This project is part of:
Hack Week 22
Activity
Comments
-
8 months ago by michals | Reply
This internal page documents how to add a repository without the TOFU prompt: https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent
I am not aware of any public documentation of this.
-
-
-
Similar Projects
A set of utilities to produce a "from scratch" OCI/Docker container using Opensuse/SLE rpms by ldragon
[comment]: # (Please use the project descriptio...
Switch software-o-o to parse repomd data by hennevogel
Currently software.opensuse.org search is using...