[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [suse-security] Secure updating/installing of packages
Quoting Christian <neodaxus@xxxxxxx>:
>
> > All SuSE packages are cryptographically signed with the SuSE build key
> > (build@xxxxxxx). It is automatically installed from the CDs.
>
> But does YOU and Yast check the signature of every package before
> installing it? Who knows this for sure?
>
I haven't looked at the code, but the program is supposed to, and a quick google
search came up with the following:
http://portal.suse.com/sdb/en/2002/05/swiegra_you-gpg.html
Which is in regards to gpg being unable to check the signature and refusing to
install the package.
> > In addition to that, fou4s (http://fou4s.gaugusch.at/) allows you to
> > install packages that are signed with fully trusted keys, apart from the
> > SuSE key.
>
> What do you mean by fully trusted keys?
>
By default, only SuSE's gpg keys are trusted. If you have another trusted
source that also signs its rpm's, then fou4s can import that key. I'm quite
certain that fou4s checks every package, as I've used it to install non-suse
packages. It will refuse to do so unless you give it the command line
parameter to ignore gpg keys.
--
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here