script to import keys

Axel Thimm Axel.Thimm at ATrpms.net
Tue Apr 20 15:41:46 UTC 2004 

On Tue, Apr 20, 2004 at 08:42:09AM -0400, Jay Daniels wrote:
> A simple script to import keys.
> 
> $ cat import-keys.sh
> #!/bin/sh
>  
> if [ $UID != 0 ]; then
>  echo Error: become root before starting $0 >&2
>  exit 100
> fi
> 
> rpm --import http://fedora.redhat.com/about/security/30C9ECF8.txt
> rpm --import http://www.fedora.us/FEDORA-GPG-KEY
> rpm --import http://freshrpms.net/packages/RPM-GPG-KEY.txt
> rpm --import http://dag.wieers.com/packages/RPM-GPG-KEY.dag.txt
> rpm --import http://atrpms.physik.fu-berlin.de/RPM-GPG-KEY.atrpms
> rpm --import http://newrpms.sunsite.dk/gpg-pubkey-newrpms.txt
> rpm --import http://www.jpackage.org/jpackage.asc
>  
> exit 0
> #EOF
> 
> Are there any more major repositories that could be added?

It depends on what you conder major, I guess ;)
But here are some more:

http://ccrma.stanford.edu/planetccrma/apt/configuration/all/RPM-GPG-KEY.planetccrma.txt
http://apt.bea.ki.se/biorpms/RPM-GPG-KEY.biorpms

They can be found under /usr/share/atrpms, iff you have atrpms
installed. The script is sometimes use is:

  for key in \
    gpg-pubkey-db42a60e-37ea5438,RPM-GPG-KEY.redhat \
    gpg-pubkey-66534c2b-3e60b428,RPM-GPG-KEY.atrpms \
    gpg-pubkey-e42d547b-3960bdf1,RPM-GPG-KEY.freshrpms \
    gpg-pubkey-b8693f2c-3f48c249,RPM-GPG-KEY.newrpms \
    gpg-pubkey-6b8d79e6-3f49313d,RPM-GPG-KEY.dag \
    gpg-pubkey-bbf04688-4018dbeb,RPM-GPG-KEY.biorpms \
    gpg-pubkey-68d9802a-406db022,RPM-GPG-KEY.ccrma \
    gpg-pubkey-4f2a6fd2-3f9d9d3b,RPM-GPG-KEY.redhat-fedora \
  ; do
    :
    rpm -e --allmatches `echo $key | awk -F, '{print $1}'` > /dev/null 2>&1 || :
    rpm --import /usr/share/atrpms/`echo $key | awk -F, '{print $2}'`
  done

It was even part of atrpms %post scriptlet, but there were rumors of
rpm corrution if using rpm --import within rpm scripts, so I disabled
it.

> Is there any way to use rpm to check if the key is already imported?
> Perhaps an IF statement by checking the key id with gpg, 0x1CDDBCA9 or
> some way to validate the key matches the certain key id's.

See above, just throw all copies of the same key out before installing
them, so you can be sure to only have one copy.

> Importing from a keyserver may be more secure than importing from
> a URL?

No, not really, anyone could place a key onto a keyserver. and to be
honest, as long as there is no web of trust (and there is none), the
whole gpg signing is faking security feeling.

Or do you really know that the keys/ids above belong to the repos? How
do you know that w/o a chain of trust?

But it's OK to have packagers used to signing, so we get the web of
trust in a couple of years ;)

> Since the file checksum is checked anyway, is gpg even neccessary?

gpg is also telling you something about the key owner, i.e. you know
that the package was signed by someone with that key id, and that
signatures cannot be easily tampered with, so the package has still
the state of the signing time.

So, if you were to trust that id, you could trust the contents. But
see above about the non-existing trust mechanisms (which is a general
problem with crypto signing, it is not restricted to rpm or package
signing).
-- 
Axel.Thimm at ATrpms.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/fedora-list/attachments/20040420/22706133/attachment-0001.sig>

More information about the fedora-list mailing list