On Tue, Apr 20, 2004 at 08:42:09AM -0400, Jay Daniels wrote: > A simple script to import keys. > > $ cat import-keys.sh > #!/bin/sh > > if [ $UID != 0 ]; then > echo Error: become root before starting $0 >&2 > exit 100 > fi > > rpm --import http://fedora.redhat.com/about/security/30C9ECF8.txt > rpm --import http://www.fedora.us/FEDORA-GPG-KEY > rpm --import http://freshrpms.net/packages/RPM-GPG-KEY.txt > rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt > rpm --import http://atrpms.physik.fu-berlin.de/RPM-GPG-KEY.atrpms > rpm --import http://newrpms.sunsite.dk/gpg-pubkey-newrpms.txt > rpm --import http://www.jpackage.org/jpackage.asc > > exit 0 > #EOF > > Are there any more major repositories that could be added? It depends on what you conder major, I guess ;) But here are some more: http://ccrma.stanford.edu/planetccrma/apt/configuration/all/RPM-GPG-KEY.planetccrma.txt http://apt.bea.ki.se/biorpms/RPM-GPG-KEY.biorpms They can be found under /usr/share/atrpms, iff you have atrpms installed. The script is sometimes use is: for key in \ gpg-pubkey-db42a60e-37ea5438,RPM-GPG-KEY.redhat \ gpg-pubkey-66534c2b-3e60b428,RPM-GPG-KEY.atrpms \ gpg-pubkey-e42d547b-3960bdf1,RPM-GPG-KEY.freshrpms \ gpg-pubkey-b8693f2c-3f48c249,RPM-GPG-KEY.newrpms \ gpg-pubkey-6b8d79e6-3f49313d,RPM-GPG-KEY.dag \ gpg-pubkey-bbf04688-4018dbeb,RPM-GPG-KEY.biorpms \ gpg-pubkey-68d9802a-406db022,RPM-GPG-KEY.ccrma \ gpg-pubkey-4f2a6fd2-3f9d9d3b,RPM-GPG-KEY.redhat-fedora \ ; do : rpm -e --allmatches `echo $key | awk -F, '{print $1}'` > /dev/null 2>&1 || : rpm --import /usr/share/atrpms/`echo $key | awk -F, '{print $2}'` done It was even part of atrpms %post scriptlet, but there were rumors of rpm corrution if using rpm --import within rpm scripts, so I disabled it. > Is there any way to use rpm to check if the key is already imported? > Perhaps an IF statement by checking the key id with gpg, 0x1CDDBCA9 or > some way to validate the key matches the certain key id's. See above, just throw all copies of the same key out before installing them, so you can be sure to only have one copy. > Importing from a keyserver may be more secure than importing from > a URL? No, not really, anyone could place a key onto a keyserver. and to be honest, as long as there is no web of trust (and there is none), the whole gpg signing is faking security feeling. Or do you really know that the keys/ids above belong to the repos? How do you know that w/o a chain of trust? But it's OK to have packagers used to signing, so we get the web of trust in a couple of years ;) > Since the file checksum is checked anyway, is gpg even neccessary? gpg is also telling you something about the key owner, i.e. you know that the package was signed by someone with that key id, and that signatures cannot be easily tampered with, so the package has still the state of the signing time. So, if you were to trust that id, you could trust the contents. But see above about the non-existing trust mechanisms (which is a general problem with crypto signing, it is not restricted to rpm or package signing). -- Axel.Thimm at ATrpms.net
Attachment:
pgp1mFYuFIjEW.pgp
Description: PGP signature
