[csw-maintainers] GPG package verification

Maciej (Matchek) Blizinski maciej at opencsw.org
Fri Dec 4 12:40:22 CET 2009


When pkg-get or pkgutil verify the gpg signature of a catalog file,
what is it that it's specifically checking for?  My guess is that it
checks for any good signature from any trusted key from root's
keyring.

The assumption here is that there isn't any bogus key imported into
root's keyring.  Otherwise, someone could hijack DNS, and serve their
own catalog with their signature.  pkg-get or pkgutil would look at
the signature and say: "It's a good signature from badguy at evil.com.  I
have that UID in my keyring, looks good to me!" and let the package
install.

Debian uses a separate keyring for package verification.  Perhaps we
should have something similar?

What I would like to be able to control there, is:

- there's a known set of gpg keys used to verify packages
- the set of gpg keyrings is easy to control by running specific
scripts or dropping files into directories

Thoughts or suggestions?

Maciej



More information about the maintainers mailing list