Project description

IIRC there was some article in tech news some year ago that criticized the way RPM keys are handled in the SUSE distribution. The main point was that keys are added but usually never removed again. Therefore there should be at least some tool that helps managing keys and checking if certain keys are still in use.

Goal for this Hackweek

The goal is to create a tool to list, add, remove and cleanup keys.

Resources

sh rpm -q gpg-pubkey --qf '%{NAME}-%{VERSION}\t%{PACKAGER}\n' # list rpm keys on system rpm --querytags # rpm list query tags rpm -qi gpg-pubkey-ABC123 | gpg --quiet --show-keys --with-colons - # key info rpm -e gpg-pubkey-ABC123 # remove key

https://unix.stackexchange.com/questions/17368/how-do-i-tell-which-gpg-key-an-rpm-package-was-signed-with https://news.opensuse.org/2023/01/23/new-4096-bit-signing-key/ https://github.com/openSUSE/opi/commit/378c6e7eedb76cbf9f8d66c51eb9c45d5fd5b010

Outcome

https://github.com/asdil12/zyppkeys

``` $ zypper keys list Key | Added | Vendor ---------------------+---------------------+---------------------------------------------- gpg-pubkey-17280ddf | 2022-09-23 13:43:42 | network OBS Project gpg-pubkey-29b700a4 | 2022-09-12 14:11:42 | openSUSE Project Signing Key gpg-pubkey-3dbdc284 | 2022-09-12 14:11:42 | openSUSE Project Signing Key gpg-pubkey-1abd1afb | 2022-09-12 14:37:08 | PackMan Project (signing key) gpg-pubkey-00e006f2 | 2023-01-30 10:44:24 | network:chromium OBS Project Fingerprints : AD485664E901B867051AB15F35A2F86E29B700A4

```

Looking for hackers with the skills:

rpm security gpg

This project is part of:

Hack Week 22

Activity

  • about 2 years ago: mkoutny liked this project.
  • about 2 years ago: jzerebecki liked this project.
  • over 2 years ago: dheidler started this project.
  • over 2 years ago: dheidler added keyword "gpg" to this project.
  • over 2 years ago: dheidler added keyword "security" to this project.
  • over 2 years ago: dheidler added keyword "rpm" to this project.
  • over 2 years ago: dheidler originated this project.

  • Comments

    • michals
      about 2 years ago by michals | Reply

      This internal page documents how to add a repository without the TOFU prompt: https://confluence.suse.com/display/CS/Sensor+-+Linux+Endpoint+Protection+Agent

      I am not aware of any public documentation of this.

    • dheidler
      about 2 years ago by dheidler | Reply

      Added final tool

    • dheidler
      about 2 years ago by dheidler | Reply

      https://build.opensuse.org/request/show/1063628

    • dheidler
      about 2 years ago by dheidler | Reply

      The tool is now part of tumbleweed and can be installed like this: zypper in zypper-keys-plugin

    Similar Projects

    This project is one of its kind!