LinuxQuestions.org
Visit the LQ Articles and Editorials section
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Distributions > Suse/Novell
User Name
Password
Suse/Novell This Forum is for the discussion of Suse Linux.

Notices

Reply
 
Search this Thread
Old 08-13-2008, 06:09 PM   #1
dccombs
LQ Newbie
 
Registered: Jan 2008
Location: New Jersey USA
Distribution: Mandriva 2009.1/PCLOS LXDE
Posts: 23

Rep: Reputation: 15
Untrusted keys


I just installed openSuSE 10.3. After installation, I went to online update configuration. When adding the upgrade repositories I received a message saying a file was signed by an untrusted key.

Also, I received the same message while adding community repositories.

I have only been using Linux since the beginning of the year, and have been running Mandriva, and PCLOS. Is this something I should be concerned about? I was forced to accept the files so the update process would continue.

Thank you in advance...Dan
 
Old 08-13-2008, 06:45 PM   #2
CRC123
Member
 
Registered: Aug 2008
Distribution: opensuse, RHEL
Posts: 374
Blog Entries: 1

Rep: Reputation: 31
No problem, I wouldn't worry about it.
 
Old 08-13-2008, 07:05 PM   #3
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
It probably was a self signed certificate.

Code:
rpm -q gpg-pubkey
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-a1912208-446a0899
gpg-pubkey-307e3d54-481f30aa
gpg-pubkey-7e2e3b05-4816488f
gpg-pubkey-9c800aca-481f343a
gpg-pubkey-1abd1afb-450ef738
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-c8da93d2-457aded7
gpg-pubkey-b7005b33-46554e84
gpg-pubkey-57721a66-47965632
gpg-pubkey-0f2672c8-47965633
Enter in the same command and see if the fingerprints match. You may have some missing or extra.
If you enter "rpm -qi gpg-pubkey" you can see which disto' the keys are for. Some of them are from the community distro's such as vlc.
 
Old 08-13-2008, 07:13 PM   #4
dccombs
LQ Newbie
 
Registered: Jan 2008
Location: New Jersey USA
Distribution: Mandriva 2009.1/PCLOS LXDE
Posts: 23

Original Poster
Rep: Reputation: 15
Thanks for the reply! I don't completely understand what you mean, but here are the results and I believe they match. What exactly does that tell me?

rpm -q gpg-pubkey
gpg-pubkey-9c800aca-40d8063e
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-307e3d54-44201d5d
gpg-pubkey-a1912208-446a0899
gpg-pubkey-7e2e3b05-44748aba
gpg-pubkey-1fc2d149-485176f0
gpg-pubkey-9c800aca-481f343a
gpg-pubkey-c8da93d2-457aded7
gpg-pubkey-1abd1afb-450ef738
gpg-pubkey-766da614-47965b2b

Edit to add: actually, looking at this closer, it doesn't match what you have posted. Is that bad news?

Last edited by dccombs; 08-13-2008 at 07:16 PM. Reason: Add info
 
Old 08-14-2008, 07:33 AM   #5
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
You may be using some different repositories. Also, I use 64 bit SuSE. I'm not certain if a different mirror may have a different certificate.
Code:
zypper lr
#  | Alias                                                    | Name                      | Enabled | Refresh
---+----------------------------------------------------------+---------------------------+---------+--------
1  | werner_gEda                                              | werner gEda               | Yes     | Yes
2  | Main Repository (OSS)                                    | Main Repository (OSS)     | Yes     | Yes
3  | openSUSE-DVD 11.0                                        | openSUSE-DVD 11.0         | Yes     | No
4  | repo-non-oss                                             | openSUSE-11.0-Non-Oss     | Yes     | No
5  | http://ftp.skynet.be/pub/packman/suse/11.0/              | Packman Repository        | Yes     | Yes
6  | repo-oss                                                 | openSUSE-11.0-Oss         | Yes     | No
7  | http://download.videolan.org/pub/videolan/vlc/SuSE/11.0/ | VideoLan Repository       | Yes     | Yes
8  | http://download.nvidia.com/opensuse/11.0                 | NVIDIA Repository         | Yes     | Yes
9  | openSUSE-11.0-Updates                                    | Updates for 11.0          | Yes     | Yes
10 | repo-debug                                               | openSUSE-11.0-Debug       | No      | No
11 | Main Repository (NON-OSS)                                | Main Repository (NON-OSS) | Yes     | Yes
This is a list of asc files from the install DVD.
Code:
ls *.asc
content.asc
gpg-pubkey-307e3d54-481f30aa.asc
gpg-pubkey-7e2e3b05-4816488f.asc
gpg-pubkey-a1912208-446a0899.asc
gpg-pubkey-0dfb3188-41ed929b.asc
gpg-pubkey-3d25d3d9-36e12d04.asc
gpg-pubkey-9c800aca-481f343a.asc
If you can cut a part of the public key printed out with "rpm -qi gpg-pubkey" and grep it agains the keys on the CDROM or DVD then you should be OK.
Code:
grep 'mQGiBEHtkpsRBACRHi' *.asc
gpg-pubkey-0dfb3188-41ed929b.asc:mQGiBEHtkpsRBACRHiXh3olS++6/Mp9N7ByGMmjaaE+Y8cJQLUPG1myrbW5aogIP
It also lists for which repo each key is in the "rpm -qi gpg-pubkey" results. You can also look for a package in rpm.pbone.net and choose the pbone mirror, and download an rpm. Then compare the signature in the package:
rpm -qip <rpm package file>
with the installed version:
rpm -qi <rpm package>

The one potential attacks against mirror sites I have read of is to compromise your DNS and get you to download old package versions on a fake mirror site. The packages would verify correctly because the site contains genuine packages. They are just dated. I think it would be hard to miss however. You can also change to a different mirror if you are concerned about the repo you are using.

If the md5sum & asc values of your installation media matches what is listed in the SuSE site, then you should be OK.

Last edited by jschiwal; 08-14-2008 at 07:38 AM.
 
Old 08-14-2008, 03:32 PM   #6
dccombs
LQ Newbie
 
Registered: Jan 2008
Location: New Jersey USA
Distribution: Mandriva 2009.1/PCLOS LXDE
Posts: 23

Original Poster
Rep: Reputation: 15
Thanks again!!!....but now I'm over my head. I don't understand most of what you wrote.

I am using the 32 bit, 10.3, which I downloaded and burned in December. I did check the MD5SUM, and it matched.

I am concerned about this because I make many purchases online, as well as do my banking online. I have received the "untrusted key" warning almost every time I added a repository (packman, mozilla, ATI, updates...etc). I am afraid of a "back door."

I suppose I should download another, more recent copy, and see if I get the same messages/warnings. I would like to try SuSE 11.0, but I don't want KDE4 yet, because I have read it's not ready, and incomplete. If I download the 11.0 Live CD, will I have an option to install with KDE 3.5? Or would I be better off downloading a newer version of 10.3?

My last option would be to go back to PCLOS MiniMe 2008, or Mandriva.
 
Old 08-14-2008, 07:14 PM   #7
jschiwal
Guru
 
Registered: Aug 2001
Location: Fargo, ND
Distribution: SuSE AMD64
Posts: 15,733

Rep: Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654Reputation: 654
If the md5 sum of the install CD matches the published value, and the CD is the source of the keys you have installed, those keys are OK.
When you install a new repository, you don't have their public key at the beginning. You should get a notice asking if you want to trust the new key. My idea to look in rpm.pbone.net and select a mirror to download a package is based on the idea that a man-in-the-middle attack can't cover every mirror site you might visit, and the keys will need to agree. I don't think it would be possible to fake every mirror site you might visit.

Certificates issued by a Certificate Authority use cryptographic techniques to verify that a person is who they say they are. Their private key was issued by a CA after verifying they are who they say (although these standards may have been lax in recent years). Obtaining a certificate from a CA costs thousands of dollars a year, so you will often run into self signed certificates, where the site author creates their own certificates instead of purchasing one from a CA. Because of this, you will get a warning about the certificate not being verified. I'll even get this warning when I connect to my Linksys router's config via https.

Another technique is a web of trust. Sometimes there will even be web of trust parties where people get together to exchange their public keys. After showing a drivers license to prove you are who you say you are, you exchange public keys with the people present. By widely distributing your public key (which is based on your public key) it would be less likely that someone could pretend to be you on the web.

If you install a package from one site that has public keys for itself and of others, and another package from another site that has most or all of these keys, and they agree, that adds integrity to the keys even though they were self signed. Especially from man-in-the-middle attacks, because such an attack can't cover the scope and time frame of the keys.

---

Yes, SuSE 11 has both kde 3.5 and kde 4.0. You can decide which one (or both) to install. The packages and libraries of the two are segregated so you can run 3.5 and have a program written for 4.0 installed and running in 3.5. I have KDE 4 on my desktop and KDE 3.5 on my laptop. Both are running SuSE 11. When you log in, you can choose which desktop to use. KDE 3.5 and KDE 4.0 have different entries.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
mouse keys as modifier keys (ctrl & alt) belda Linux - Desktop 3 06-25-2009 10:37 AM
USB keyboard function keys/numeric keys on boot raypen Linux - Hardware 4 04-17-2008 03:07 PM
Untrusted packages thelonius Debian 1 07-23-2006 12:41 PM
Running untrusted code cep21 Linux - Security 9 03-29-2006 12:33 PM
ssh from an untrusted host ddaas Linux - Security 1 03-30-2005 12:31 PM


All times are GMT -5. The time now is 03:27 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration