« Previous 1 2 3 4 Next »
Digital signatures in package management
Package Insurance
openSUSE
Each individual SUSE RPM package is signed with a GnuPG signature, which can be found in the metadata of the RPM package. Typically, SUSE distributions are created automatically in the Open Build Service [10], the public development platform operated by openSUSE. The GPL software of the system automatically signs all the packages and media that pass through it.
When asked, Ludwig Nussel, the release manager of openSUSE Leap, reported that a private signing host is connected to the build service via a separate cable; the private portion of the official key pair resides on this host. Only employees with special security clearance have access to the server room, not even release chief Nussel is allowed in. He assured us that nothing runs on this computer (not even an SSH server) except the signing service. Logins are possible only via a serial console.
SUSE Key as a Backup
In any openSUSE installation, the public parts of two keys are preinstalled in the content.key file: The openSUSE project signing key opensuse@opensuse.org
and the SUSE package signing key build@suse.de
. SUSE has so far seen no reason to renew the keys, but they do have an expiry date, which authorized persons regularly extend.
Should the private openSUSE key be compromised, the project would use the SUSE key to distribute an update that deletes the compromised keys and rolls out a new openSUSE project key. SUSE's private key is stored in a separate infrastructure, like that described above.
Project Weaves Chains of Trust
Multi-level security similar to the Debian project is founded on the keys in the repositories and on installation media [11]: The core of this structure is the content file, which reveals the directory containing the packages. The Open Build Service signs the file before it is delivered, and the signature ends up in the content.asc file. The content file references other files containing the file names of all packages. For each of these files, content provides the appropriate SHA256 checksum.
The content file also references files with other public keys, which Yast imports without complaint, because content already has a trusted signature. The keys are designed to help users check the signatures in the RPM packages. Next, Yast uses the matching packages.gz file, as designated by the content file. It contains all of the packages in the repository with their corresponding SHA1 checksums.
In this way, a chain of trust is built up as in Debian. Packages that cannot prove their origin at install time are rejected by Yast; rpm also notices attempted fraud, but it is more forgiving in its response (Figure 4).
Figure 4: The rpm tool on openSUSE Leap notices the dubious reputation of a package, but installs it nevertheless.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Build system images with Kiwi
Configure, build, and deploy operating system images in a suitable format to facilitate and accelerate the installation of new systems. -
Flatpak, Snap, and AppImage
The Flatpak, Snap, and AppImage package formats work across distributions, but each has its specific disadvantages. -
Creating a private apt repository with reprepro
A private repository is useful if you want to distribute your own software packages to Debian and Ubuntu machines in a controlled manner. The reprepro tool makes it easy. -
Manipulation detection with AFICK
AFICK is a small, free tool that helps administrators detect attempts to manipulate documents and system files. -
Debian's quest for reproducible builds
Debian's reproducible builds project tries to meet strict security requirements for binary packages from its archives through the creation of bitwise identical binary packages.