Steve Scrimpshire Posted February 22, 2005 Report Share Posted February 22, 2005 (edited) urpmi is supposed to import these pubkeys automatically, I think, but it hasn't done it in a while. You'll need gnupg installed for this. In the media_info directory of your favorite mirror are the public keys. Here's an example: ftp://ftp.club-internet.fr/pub/linux/Mand...dia/media_info/ contains: pubkey_contrib pubkey_jpackage pubkey_main Download those. Ex: wget ftp://ftp.club-internet.fr/pub/linux/Mandrakelinux/official/10.1/i586/media/media_info/pubkey_main Import it with gpg. Ex: gpg --import pubkey_main For plf-free and plf-nonfree, they are in a slightly different place and are called simply pubkey, so be careful when you download and import those. My mirror: ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey So, for those, I do, as root in a console: wget ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey && gpg --import pubkey && rm -f pubkey && wget ftp://ftp.club-internet.fr/pub/linux/plf/...ree/10.1/pubkey && gpg --import pubkey && rm -f pubkey Find out what each keyid is: gpg --list-keys> gpg --list-keys /root/.gnupg/pubring.gpg ------------------------ <<snip>> pub 1024D/70771FF3 2002-03-13 Mandrake Linux <mandrake@mandrakesoft.com> sub 1024g/75223F49 2002-03-13 <<snip>> Add that to your /etc/urpmi/urpmi.cfg file in the appropriate section: main ftp://ftp.club-internet.fr/pub/linux/Mand...i586/media/main { hdlist: hdlist.main.cz key-ids: 70771ff3 with_hdlist: ./hdlist.cz } In this case, they are not case-sensitive. Run: urpmi.update -a aru once posted a way to do this a little easier with lynx or links I forget which one), but I could not find it, so aru, if you read this, please fill us in. :D Edited February 17, 2006 by Steve Scrimpshire Quote Link to comment Share on other sites More sharing options...
Gowator Posted February 22, 2005 Report Share Posted February 22, 2005 Invalid keys are more than an annoyance. They are there for your safely to make sure noone comprimsed the RPM's and also checks the download. Its all to easy to ignore this but when Steve has made it so clear there shouldn't be excuses anymore :D Quote Link to comment Share on other sites More sharing options...
aRTee Posted February 23, 2005 Report Share Posted February 23, 2005 Yes, I concur with Gowator. The point in the keys are to ensure that the person mentioned in the package as the builder is indeed the builder. Look at it from another perspective: there's a bunch of people running this security-sane OS, so how to get any malware in there? Easy: hack the source of their software. (BTW this has been done a couple of times so far, last times it were the GNU and GNOME servers.) Then replace the packages with rebuilt versions that contain trojans that may do who knows what. So, each package is signed, and with the public-private key mechanism there's a way to check, with the public part of the key, that the signature (including a checksum) is indeed done with the private part of that key. Of course, anyone hacking an FTP server and inserting trojans into rpms will also replace the public key with the one he has. Now the trick: normally you set up urpmi repositories and get the key at some other date than you install packages. This means: if you have already got the key, your system will know that the packages are not correctly signed. Of course, this implies that a brake-in will not go undetected and uncorrected. Since the servers are setup with syncing, and they are well managed, this is not a big point. Come to think about it, ideally, one would use the public keys from a whole different FTP server than where one gets the packages. Anyway, this kind of trojan insertion is not yet happening at a large scale, and as far as I know has not happened to any Linux distribution, but better safe than sorry. Compare all this to other operating systems, where users generally and regularly download stuff they find somewhere (anywhere) on the web, and just execute it, I fail to see the logic behind the argument: "if Linux gets more popular it will be plagued in the same way as other more popular OSes currently are".... Quote Link to comment Share on other sites More sharing options...
Steve Scrimpshire Posted February 25, 2005 Author Report Share Posted February 25, 2005 Theoretically, you should also be able to (if contrib, jpackage, main are all on the same server for you) do: urpmi.addmedia --distrib --probe-hdlist <<your server>> and it should add all three and import the keys for you. Quote Link to comment Share on other sites More sharing options...
tyme Posted February 25, 2005 Report Share Posted February 25, 2005 I remember seeing a tool in mandrake control center for managing keys, though I don't remember it's abilities. Quote Link to comment Share on other sites More sharing options...
Steve Scrimpshire Posted February 25, 2005 Author Report Share Posted February 25, 2005 That manages keys, yes, but you have to have already imported them, which regular old urpmi.addmedia name http://blahblah with ./hdlist.cz doesn't seem to do anymore. urpmi.addmedia --distrib --probe-hdlist http://blahblah does import them, it seems, but I have not tested urpmi.addmedia --probe-hdlist name http://blahblah Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.