Jump to content

Getting rid of annoying invalid signature errors


Steve Scrimpshire
 Share

Recommended Posts

urpmi is supposed to import these pubkeys automatically, I think, but it hasn't done it in a while. You'll need gnupg installed for this. In the media_info directory of your favorite mirror are the public keys. Here's an example:

urpmisigs.png

ftp://ftp.club-internet.fr/pub/linux/Mand...dia/media_info/

contains:

pubkey_contrib

pubkey_jpackage

pubkey_main

 

Download those. Ex:

wget ftp://ftp.club-internet.fr/pub/linux/Mandrakelinux/official/10.1/i586/media/media_info/pubkey_main

 

Import it with gpg. Ex:

gpg --import pubkey_main

 

For plf-free and plf-nonfree, they are in a slightly different place and are called simply pubkey, so be careful when you download and import those. My mirror:

ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey

ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey

 

So, for those, I do, as root in a console:

wget ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey && gpg --import pubkey && rm -f pubkey && wget ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey && gpg --import pubkey && rm -f pubkey

 

Find out what each keyid is:

gpg --list-keys

> gpg --list-keys

/root/.gnupg/pubring.gpg

------------------------

<<snip>>

pub 1024D/70771FF3 2002-03-13 Mandrake Linux <mandrake@mandrakesoft.com>

sub 1024g/75223F49 2002-03-13

<<snip>>

 

Add that to your /etc/urpmi/urpmi.cfg file in the appropriate section:

main ftp://ftp.club-internet.fr/pub/linux/Mand...i586/media/main {

hdlist: hdlist.main.cz

key-ids: 70771ff3

with_hdlist: ./hdlist.cz

}

 

In this case, they are not case-sensitive.

Run:

urpmi.update -a

 

aru once posted a way to do this a little easier with lynx or links I forget which one), but I could not find it, so aru, if you read this, please fill us in. :D

Edited by Steve Scrimpshire
Link to comment
Share on other sites

Yes, I concur with Gowator.

 

The point in the keys are to ensure that the person mentioned in the package as the builder is indeed the builder.

 

Look at it from another perspective: there's a bunch of people running this security-sane OS, so how to get any malware in there?

 

Easy: hack the source of their software. (BTW this has been done a couple of times so far, last times it were the GNU and GNOME servers.)

Then replace the packages with rebuilt versions that contain trojans that may do who knows what.

 

So, each package is signed, and with the public-private key mechanism there's a way to check, with the public part of the key, that the signature (including a checksum) is indeed done with the private part of that key.

 

 

Of course, anyone hacking an FTP server and inserting trojans into rpms will also replace the public key with the one he has.

 

Now the trick: normally you set up urpmi repositories and get the key at some other date than you install packages. This means: if you have already got the key, your system will know that the packages are not correctly signed.

 

Of course, this implies that a brake-in will not go undetected and uncorrected. Since the servers are setup with syncing, and they are well managed, this is not a big point.

 

Come to think about it, ideally, one would use the public keys from a whole different FTP server than where one gets the packages.

 

Anyway, this kind of trojan insertion is not yet happening at a large scale, and as far as I know has not happened to any Linux distribution, but better safe than sorry.

 

 

Compare all this to other operating systems, where users generally and regularly download stuff they find somewhere (anywhere) on the web, and just execute it, I fail to see the logic behind the argument: "if Linux gets more popular it will be plagued in the same way as other more popular OSes currently are"....

Link to comment
Share on other sites

Theoretically, you should also be able to (if contrib, jpackage, main are all on the same server for you) do:

 

urpmi.addmedia --distrib --probe-hdlist <<your server>>

 

and it should add all three and import the keys for you.

Link to comment
Share on other sites

That manages keys, yes, but you have to have already imported them, which regular old

urpmi.addmedia name http://blahblah with ./hdlist.cz

doesn't seem to do anymore.

urpmi.addmedia --distrib --probe-hdlist http://blahblah

does import them, it seems, but I have not tested

urpmi.addmedia --probe-hdlist name http://blahblah

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
 Share

×
×
  • Create New...