[Mageia-dev] PGP keys and package signing

[Olivier Thauvin]

* David Sjölin (david.sjolin at gmail.com) wrote:
> Hello!
> 
> I know this is probably a stupid question, but if you don't ask you
> won't learn so.
> 
> What is this signing? I assume we won't encrypt the entire
> distribution? Is it some sort of way of saying that a package is
> "Approved by Mageia" so the package manager can warn about non
> approved packages?

Signing a rpm is performing a checksum of the rpm file using a gpg keys
(the private one) and adding this checksum inside the rpm.

I voluntary skip technical details about this process, in fact the whole
rpm is not signed as the key is added to them (the checksum cannot be
signed itself). But rpm manage this.

When the rpm is signed you can find the keys used (here gnupg Mandriva):
[olivier at localhost ~]$ rpm -q rpm --qf %{SIGGPG:pgpsig}
DSA/SHA1, mar. 14 déc. 2010 17:05:12 CET, Key ID dd684d7a26752624

Then with the gnupg key (the public one this time) you can check the rpm
as not be corrupted or modified and really come from the supposed
vendor.

The key of this security is of course to not have the gnupg private key
stolen, otherwise anybody could sign rpm like he was you.

Urpmi checks the key for you when it download rpms from mirror.

Best regards.

-- 

Olivier Thauvin
CNRS  -  LATMOS
♖ ♘ ♗ ♕ ♔ ♗ ♘ ♖
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
URL: </pipermail/mageia-dev/attachments/20110201/c5fa1969/attachment.asc>