LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   SUSE / openSUSE (https://www.linuxquestions.org/questions/suse-opensuse-60/)
-   -   Untrusted keys (https://www.linuxquestions.org/questions/suse-opensuse-60/untrusted-keys-662607/)

dccombs 08-13-2008 06:09 PM

Untrusted keys
 
I just installed openSuSE 10.3. After installation, I went to online update configuration. When adding the upgrade repositories I received a message saying a file was signed by an untrusted key.

Also, I received the same message while adding community repositories.

I have only been using Linux since the beginning of the year, and have been running Mandriva, and PCLOS. Is this something I should be concerned about? I was forced to accept the files so the update process would continue.

Thank you in advance...Dan

CRC123 08-13-2008 06:45 PM

No problem, I wouldn't worry about it.

jschiwal 08-13-2008 07:05 PM

It probably was a self signed certificate.

Code:

rpm -q gpg-pubkey
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-a1912208-446a0899
gpg-pubkey-307e3d54-481f30aa
gpg-pubkey-7e2e3b05-4816488f
gpg-pubkey-9c800aca-481f343a
gpg-pubkey-1abd1afb-450ef738
gpg-pubkey-c66b6eae-4491871e
gpg-pubkey-c8da93d2-457aded7
gpg-pubkey-b7005b33-46554e84
gpg-pubkey-57721a66-47965632
gpg-pubkey-0f2672c8-47965633

Enter in the same command and see if the fingerprints match. You may have some missing or extra.
If you enter "rpm -qi gpg-pubkey" you can see which disto' the keys are for. Some of them are from the community distro's such as vlc.

dccombs 08-13-2008 07:13 PM

Thanks for the reply! I don't completely understand what you mean, but here are the results and I believe they match. What exactly does that tell me?

rpm -q gpg-pubkey
gpg-pubkey-9c800aca-40d8063e
gpg-pubkey-3d25d3d9-36e12d04
gpg-pubkey-0dfb3188-41ed929b
gpg-pubkey-307e3d54-44201d5d
gpg-pubkey-a1912208-446a0899
gpg-pubkey-7e2e3b05-44748aba
gpg-pubkey-1fc2d149-485176f0
gpg-pubkey-9c800aca-481f343a
gpg-pubkey-c8da93d2-457aded7
gpg-pubkey-1abd1afb-450ef738
gpg-pubkey-766da614-47965b2b

Edit to add: actually, looking at this closer, it doesn't match what you have posted. Is that bad news?

jschiwal 08-14-2008 07:33 AM

You may be using some different repositories. Also, I use 64 bit SuSE. I'm not certain if a different mirror may have a different certificate.
Code:

zypper lr
#  | Alias                                                    | Name                      | Enabled | Refresh
---+----------------------------------------------------------+---------------------------+---------+--------
1  | werner_gEda                                              | werner gEda              | Yes    | Yes
2  | Main Repository (OSS)                                    | Main Repository (OSS)    | Yes    | Yes
3  | openSUSE-DVD 11.0                                        | openSUSE-DVD 11.0        | Yes    | No
4  | repo-non-oss                                            | openSUSE-11.0-Non-Oss    | Yes    | No
5  | http://ftp.skynet.be/pub/packman/suse/11.0/              | Packman Repository        | Yes    | Yes
6  | repo-oss                                                | openSUSE-11.0-Oss        | Yes    | No
7  | http://download.videolan.org/pub/videolan/vlc/SuSE/11.0/ | VideoLan Repository      | Yes    | Yes
8  | http://download.nvidia.com/opensuse/11.0                | NVIDIA Repository        | Yes    | Yes
9  | openSUSE-11.0-Updates                                    | Updates for 11.0          | Yes    | Yes
10 | repo-debug                                              | openSUSE-11.0-Debug      | No      | No
11 | Main Repository (NON-OSS)                                | Main Repository (NON-OSS) | Yes    | Yes

This is a list of asc files from the install DVD.
Code:

ls *.asc
content.asc
gpg-pubkey-307e3d54-481f30aa.asc
gpg-pubkey-7e2e3b05-4816488f.asc
gpg-pubkey-a1912208-446a0899.asc
gpg-pubkey-0dfb3188-41ed929b.asc
gpg-pubkey-3d25d3d9-36e12d04.asc
gpg-pubkey-9c800aca-481f343a.asc

If you can cut a part of the public key printed out with "rpm -qi gpg-pubkey" and grep it agains the keys on the CDROM or DVD then you should be OK.
Code:

grep 'mQGiBEHtkpsRBACRHi' *.asc
gpg-pubkey-0dfb3188-41ed929b.asc:mQGiBEHtkpsRBACRHiXh3olS++6/Mp9N7ByGMmjaaE+Y8cJQLUPG1myrbW5aogIP

It also lists for which repo each key is in the "rpm -qi gpg-pubkey" results. You can also look for a package in rpm.pbone.net and choose the pbone mirror, and download an rpm. Then compare the signature in the package:
rpm -qip <rpm package file>
with the installed version:
rpm -qi <rpm package>

The one potential attacks against mirror sites I have read of is to compromise your DNS and get you to download old package versions on a fake mirror site. The packages would verify correctly because the site contains genuine packages. They are just dated. I think it would be hard to miss however. You can also change to a different mirror if you are concerned about the repo you are using.

If the md5sum & asc values of your installation media matches what is listed in the SuSE site, then you should be OK.

dccombs 08-14-2008 03:32 PM

Thanks again!!!....but now I'm over my head. I don't understand most of what you wrote.

I am using the 32 bit, 10.3, which I downloaded and burned in December. I did check the MD5SUM, and it matched.

I am concerned about this because I make many purchases online, as well as do my banking online. I have received the "untrusted key" warning almost every time I added a repository (packman, mozilla, ATI, updates...etc). I am afraid of a "back door."

I suppose I should download another, more recent copy, and see if I get the same messages/warnings. I would like to try SuSE 11.0, but I don't want KDE4 yet, because I have read it's not ready, and incomplete. If I download the 11.0 Live CD, will I have an option to install with KDE 3.5? Or would I be better off downloading a newer version of 10.3?

My last option would be to go back to PCLOS MiniMe 2008, or Mandriva.

jschiwal 08-14-2008 07:14 PM

If the md5 sum of the install CD matches the published value, and the CD is the source of the keys you have installed, those keys are OK.
When you install a new repository, you don't have their public key at the beginning. You should get a notice asking if you want to trust the new key. My idea to look in rpm.pbone.net and select a mirror to download a package is based on the idea that a man-in-the-middle attack can't cover every mirror site you might visit, and the keys will need to agree. I don't think it would be possible to fake every mirror site you might visit.

Certificates issued by a Certificate Authority use cryptographic techniques to verify that a person is who they say they are. Their private key was issued by a CA after verifying they are who they say (although these standards may have been lax in recent years). Obtaining a certificate from a CA costs thousands of dollars a year, so you will often run into self signed certificates, where the site author creates their own certificates instead of purchasing one from a CA. Because of this, you will get a warning about the certificate not being verified. I'll even get this warning when I connect to my Linksys router's config via https.

Another technique is a web of trust. Sometimes there will even be web of trust parties where people get together to exchange their public keys. After showing a drivers license to prove you are who you say you are, you exchange public keys with the people present. By widely distributing your public key (which is based on your public key) it would be less likely that someone could pretend to be you on the web.

If you install a package from one site that has public keys for itself and of others, and another package from another site that has most or all of these keys, and they agree, that adds integrity to the keys even though they were self signed. Especially from man-in-the-middle attacks, because such an attack can't cover the scope and time frame of the keys.

---

Yes, SuSE 11 has both kde 3.5 and kde 4.0. You can decide which one (or both) to install. The packages and libraries of the two are segregated so you can run 3.5 and have a program written for 4.0 installed and running in 3.5. I have KDE 4 on my desktop and KDE 3.5 on my laptop. Both are running SuSE 11. When you log in, you can choose which desktop to use. KDE 3.5 and KDE 4.0 have different entries.


All times are GMT -5. The time now is 10:12 AM.