[csw-maintainers] GPG package verification
    Maciej (Matchek) Blizinski 
    maciej at opencsw.org
       
    Fri Dec  4 12:40:22 CET 2009
    
    
  
When pkg-get or pkgutil verify the gpg signature of a catalog file,
what is it that it's specifically checking for?  My guess is that it
checks for any good signature from any trusted key from root's
keyring.
The assumption here is that there isn't any bogus key imported into
root's keyring.  Otherwise, someone could hijack DNS, and serve their
own catalog with their signature.  pkg-get or pkgutil would look at
the signature and say: "It's a good signature from badguy at evil.com.  I
have that UID in my keyring, looks good to me!" and let the package
install.
Debian uses a separate keyring for package verification.  Perhaps we
should have something similar?
What I would like to be able to control there, is:
- there's a known set of gpg keys used to verify packages
- the set of gpg keyrings is easy to control by running specific
scripts or dropping files into directories
Thoughts or suggestions?
Maciej
    
    
More information about the maintainers
mailing list