On Thu, May 25, 2006 at 05:18:06PM +0200, Pascal Bleser wrote: > Trying to add signatures to my (yast2) RPM repository for 10.1. > > http://en.opensuse.org/Secure_Installation_Sources > > A couple of unclear things in there I'd like to poke on. > > ========= > > "When YaST detects an installation source it checks if the file > "products" is there, and then checks if it is signed with a known key. > If it is not signed at all or with an unknown key, or if the key is on > the media, but not trusted (yet), the user will be asked what to do." > > "The key is usually also on the installation media as > /gpg-pubkey-9c800aca-40d8063e.asc" > > What it doesn't say clearly is where/how YaST2 will try to fetch the > armored/exported key in order to propose importing it. > I assume it uses whatever is defined in "content" using the "KEY" tag > (see below). Correct ?
For /content it is /content.key. For repomd.xml it is /repomd.xml.key. Not sure for SUSE old-style sources. I would have to check the source ;) > ========= > > "The "content" file is signed in the same manner as the "products" file, > so there is a "content.key" (usually, but not necessarily the same as > "products.key")." > > Those "content.key"/"products.key" files are not mentioned anywhere else. > Are those copies of the ASCII-armored, exported GPG key ? Yes. ASCII Armor is not necessary. > ========= > > "META keys are added for all files in the directory named in the key > DESCRDIR" > > So in "content" I should have something like: > ... > DESCRDIR setup/descr > KEY SHA1 33ad20fe228350dc4e0f0cd7967460c31266af36 gpg-pubkey-guru.asc > META SHA1 4baafd9998ea4e20245f82e507c6db6b723f4597 packages > META SHA1 965ba5faeea815d41ba308ffd193b78505b26c1c directory.yast > META SHA1 4565f769ae573f89dddbf2eef1357b59a88ad1df packages.DU > META SHA1 c53400cdb9e16ac0d9add587585fc77c86f132c5 packages.en > > Correct ? Yes. > ========= > > "Before YaST uses any file from DESCRDIR it will look up the entry in > "content". This entry is currently a SHA1 checksum followed by the > package name. This may change to a SHA256 checksum." > > A "package" name ? I suppose what is meant here is "file" name. Is it ? A filename, yes. > ========= > > "The next step in the chain is the file "packages" in DESCRDIR. > If you are familiar with its syntax you will see that we added a new tag > there, too, right after the "Pgk:" tag. Here is an example of the first > two lines of the entry for the default kernel: > =Pkg: kernel-default 2.6.16 13 i586 > =Cks: SHA1 8c8eb2b605e1d626c22bea8dd0c3b05885432b16 > Again we have a SHA1 checksum." > > Maybe it should be mentioned that one must use create_package_descr from > 10.1 or Factory (I only checked the one from autoyast2-2.13.59.tar.bz2) > > What about older versions ? > If I use create_package_descr from 10.1/Factory, that adds those =Cks: > tags into the "packages" file, can I also use it to generate "packages" > for, say, 10.0/9.3/9.2/9.1 ? > Or will YaST2 on 10.0 and older bark, saying that it does not know > anything about the "=Cks:" tag ? I dont know. Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
