On Tue, 26 Oct 2004, Douglas Furlong wrote:
On Tue, 2004-10-26 at 15:13 +0200, nodata wrote:
Then perhaps rawhide should be signed with a separate key that signs the packages without a live body.
+1
If this is done then it severely reduces the relevance of having them signed in the first place.
no it doesn't (see note below)
My understanding is that, when a package is "signed" by redhat, a human steps up to the plate, does certain verifications, then puts in the pass phrase, and hey presto you have a signed package.
Your suggestion automates the whole process, and drastically reduces the security model.
It will be much better than the current model of no signatures.
And 'rawhide-gpg-key' could mean 'rpm built on redhat-beehieve' - and nothing more. It shouldn't have to mean beehieve not hacked & 'rawhide-gpg-key' is not stolen.
Also, I'm not sure how the human intervention guarantees that the key/passphrases arn't stolen. The only way I can think of is hardware-encryption (aka palladium?) where keys can never be copied/stolen (in which case passphrases are not necessary)
And as a user - I should be able to query rpm db with:
list all packages currently installed that are signed with the key 'rawhide-gpg-key'
Satish