Project description

IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.

Goal for this Hackweek

The goal is to create a tool to list, add, remove and cleanup keys.

Resources

rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system
rpm --querytags # rpm list query tags
rpm -qi  gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info
rpm -e gpg-pubkey-ABC123 # remove key

https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010

Outcome

https://github.com/asdil12/zyppkeys

$ zypper keys list
 Key                 | Added               | Vendor
---------------------+---------------------+----------------------------------------------
 gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project <network@build.opensuse.…
 gpg-pubkey-c862b42c | 2023-01-24 10:51:17 | games OBS Project <games@build.opensuse.org>
 gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
 gpg-pubkey-39db7c82 | 2022-09-12 14:11:42 | SuSE Package Signing Key <build@suse.de>
 gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key <opensuse@opens…
 gpg-pubkey-be1229cf | 2022-09-12 14:38:34 | Microsoft (Release signing) <gpgsecurity@mic…
 gpg-pubkey-8a7c64f9 | 2022-09-28 11:41:27 | Unsupported <unsupported@suse.de>
 gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) <packman@links…
 gpg-pubkey-cbdf5e8f | 2022-09-27 12:05:36 | devel:openQA OBS Project <devel:openQA@build…
 gpg-pubkey-6a8dce8c | 2022-09-15 10:11:09 | home:dheidler OBS Project <home:dheidler@bui…
 gpg-pubkey-edf0d733 | 2022-11-12 14:47:56 | devel:languages:python OBS Project <devel:la…
 gpg-pubkey-a89c3a8a | 2022-09-28 22:49:49 | devel:languages:nodejs OBS Project <devel:la…
 gpg-pubkey-d6d11ce4 | 2022-12-27 19:51:28 | hardware OBS Project <hardware@build.opensus…
 gpg-pubkey-72174fc2 | 2023-01-30 10:44:24 | Virtualization OBS Project <Virtualization@b…
 gpg-pubkey-dcef338c | 2023-01-30 10:44:24 | devel:languages:perl OBS Project <devel:lang…
 gpg-pubkey-65176565 | 2023-01-30 10:44:24 | openSUSE:Backports OBS Project <openSUSE:Bac…
 gpg-pubkey-f23c6aa3 | 2023-01-30 10:44:24 | multimedia OBS Project <multimedia@build.ope…
 gpg-pubkey-780504e9 | 2023-01-30 10:44:24 | X11 OBS Project <X11@build.opensuse.org>
 gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project <network:chromi…
 gpg-pubkey-8df63672 | 2023-01-30 10:44:24 | home:mkittler OBS Project <home:mkittler@bui…
 gpg-pubkey-038651bd | 2023-02-01 12:53:40 | https://packagecloud.io/slacktechnologies/sl…
 gpg-pubkey-7fac5991 | 2023-02-02 00:00:01 | Google, Inc. Linux Package Signing Key <linu…
 gpg-pubkey-d38b4796 | 2023-02-02 00:00:01 | Google Inc. (Linux Packages Signing Authorit…
 gpg-pubkey-33eaab8e | 2023-02-02 00:00:01 | Vivaldi Package Composer KEY09 <packager@viv…
 gpg-pubkey-4218647e | 2023-02-06 14:51:10 | Vivaldi Package Composer KEY08 <packager@viv…
 gpg-pubkey-8583c11c | 2023-02-07 14:07:35 | home:dheidler OBS Project <home:dheidler@bui…
 gpg-pubkey-324e6311 | 2023-02-08 16:52:09 | filesystems OBS Project <filesystems@build.o…
 $ zypper keys repokeys -d
 Repo                             | Key                 | Added | Vendor
----------------------------------+---------------------+-------+-------------------------
 suse_ca                          | gpg-pubkey-39db7c82 | Yes   | SuSE Package Signing Ke…
 vivaldi                          | gpg-pubkey-4218647e | Yes   | Vivaldi Package Compose…
 home_dheidler                    | gpg-pubkey-8583c11c | Yes   | home:dheidler OBS Proje…
 games                            | gpg-pubkey-c862b42c | Yes   | games OBS Project <game…
 hardware_sdr                     | gpg-pubkey-d6d11ce4 | Yes   | hardware OBS Project <h…
 download.opensuse.org-oss        | gpg-pubkey-29b700a4 | Yes   | openSUSE Project Signin…
 download.opensuse.org-tumbleweed | gpg-pubkey-3dbdc284 | Yes   | openSUSE Project Signin…
 devel-openqa                     | gpg-pubkey-cbdf5e8f | Yes   | devel:openQA OBS Projec…
 download.opensuse.org-non-oss    | gpg-pubkey-29b700a4 | Yes   | openSUSE Project Signin…
 vscode                           | gpg-pubkey-be1229cf | Yes   | Microsoft (Release sign…
 slack                            | gpg-pubkey-038651bd | Yes   | https://packagecloud.io…
 filesystems                      | gpg-pubkey-324e6311 | Yes   | filesystems OBS Project…
 openh264                         | gpg-pubkey-3dbdc284 | Yes   | openSUSE Project Signin…
$ zypper keys show gpg-pubkey-29b700a4

Information for key gpg-pubkey-29b700a4:
----------------------------------------
Key          : gpg-pubkey-29b700a4
Added        : 2022-09-12 14:11:42
Vendor       : openSUSE Project Signing Key <opensuse@opensuse.org>
Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4

Looking for hackers with the skills:

rpm security gpg

This project is part of:

Hack Week 22

Activity

  • about 2 months ago: mkoutny liked this project.
  • about 2 months ago: jzerebecki liked this project.
  • about 2 months ago: dheidler started this project.
  • about 2 months ago: dheidler added keyword "gpg" to this project.
  • about 2 months ago: dheidler added keyword "security" to this project.
  • about 2 months ago: dheidler added keyword "rpm" to this project.
  • about 2 months ago: dheidler originated this project.

  • Comments

    • michals
      about 2 months ago by michals | Reply

      This internal page documents how to add a repository without the TOFU prompt: https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent

      I am not aware of any public documentation of this.

    • dheidler
      about 2 months ago by dheidler | Reply

      Added final tool

    • dheidler
    • dheidler
      about 1 month ago by dheidler | Reply

      The tool is now part of tumbleweed and can be installed like this: zypper in zypper-keys-plugin

    Similar Projects

    A CLI for Harvester by mohamed.belgaied

    [comment]: # Harvester does not officially come...


    Package libfyaml by tinita

    Project Description

    [libfyaml](https://g...


    Modular kernel packaging by mwilck

    Project Description

    Create a PoC for a mo...


    Switch software-o-o to parse repomd data by hennevogel

    Currently software.opensuse.org search is using...


    Run sandboxed Firefox with image and sound inside a container by nguyens

    [comment]: # (Please use the project descriptio...


    Sandboxed USB Inspection by nguyens

    [comment]: # (Please use the project descriptio...


    Rancher Token Revoker by mbolot

    [comment]: # (Please use the project descriptio...