[Mageia-dev] PGP keys and package signing

Tue Feb 1 12:52:31 CET 2011

* David Sjölin (david.sjolin at gmail.com) wrote:
+> Hello!
+> 
+> I know this is probably a stupid question, but if you don't ask you
+> won't learn so.
+> 
+> What is this signing? I assume we won't encrypt the entire
+> distribution? Is it some sort of way of saying that a package is
+> "Approved by Mageia" so the package manager can warn about non
+> approved packages?
+
+Signing a rpm is performing a checksum of the rpm file using a gpg keys
+(the private one) and adding this checksum inside the rpm.
+
+I voluntary skip technical details about this process, in fact the whole
+rpm is not signed as the key is added to them (the checksum cannot be
+signed itself). But rpm manage this.
+
+When the rpm is signed you can find the keys used (here gnupg Mandriva):
+[olivier at localhost ~]$ rpm -q rpm --qf %{SIGGPG:pgpsig}
+DSA/SHA1, mar. 14 déc. 2010 17:05:12 CET, Key ID dd684d7a26752624
+
+Then with the gnupg key (the public one this time) you can check the rpm
+as not be corrupted or modified and really come from the supposed
+vendor.
+
+The key of this security is of course to not have the gnupg private key
+stolen, otherwise anybody could sign rpm like he was you.
+
+Urpmi checks the key for you when it download rpms from mirror.
+
+Best regards.
+
+-- 
+
+Olivier Thauvin
+CNRS  -  LATMOS
+♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
+-------------- next part --------------
+A non-text attachment was scrubbed...
+Name: not available
+Type: application/pgp-signature
+Size: 197 bytes
+Desc: not available
+URL: </pipermail/mageia-dev/attachments/20110201/c5fa1969/attachment.asc>
+