tickets #89029
closedOpenSuse GPG keys in DNS
100%
Description
Hi.
I am working on enhancing of verifying GPG checks of RPM packages using GPG keys stored in DNS entries. I want to ask
you to store OpenSuse's GPG keys its DNS zone.
This is likely something new to you. So I provide you with some reading and the background:
The last two are most relevant for what you need.
OpenSuse GPG keys are here:
https://build.opensuse.org/projects/openSUSE:Factory/public_key
Here is a detailed howto to what needs to be done:
Save the file above as RPM-GPG-KEY-openSUSE
$ gpg2 RPM-GPG-KEY-openSUSE
pub rsa2048 2008-11-07 [SC] [platnost skončí: 2024-05-02]
22C07BA534178CD02EFE22AAB88B2FD43DBDC284
uid openSUSE Project Signing Key opensuse@opensuse.org
Note the used email.
- Import the GPG key to your local keyring:
$ gpg2 --import RPM-GPG-KEY-openSUSE
- run: $ gpg2 --export-options export-dane --export 'opensuse@opensuse.org'
This will generate a DNS entry. You have to put it in _openpgpkey.opensuse.org. DNS zone.
It should be:
$ORIGIN _openpgpkey.opensuse.org.
; 22C07BA534178CD02EFE22AAB88B2FD43DBDC284
; openSUSE Project Signing Key <opensuse@opensuse.org>
791f5d38084c356de75bcb606c65cd04be8b1928b6e364861c01ecce TYPE61 \# 645 (
99010d0449144c3f010800d62f2e5de48a4979d1d04125e40b554afe80199491
1e055a526633029fc2e21da23d5aadc6dd5a7ac2fb0fd5bde4b2c246cd514d72
d757b79b63bce2f1beb11f449b867ea1d32882c1caa2f391ec966b06c535f490
f77ffc3ae9df4935c2d52c77860b0d5d0b8eacd54aac301052a4fadb4fe38fde
31348834f5b2d2c6c8cde84793bf288e9ad13d1f5274de8f6d63a99e34bfe071
087106fc2ea36d399e9d09a236013f4a4e7cdf25f619c838b900d32bb86578a0
a0a39599fe224e35f83489885a5753f946964ced7c356702aee8ed807b9ecadc
182c1355e4dd282483f6558b8b65f483558b8f965bfb73a3b650439726c75b41
a56ecd4d472e8703ca2a670011010001b4346f70656e535553452050726f6a65
6374205369676e696e67204b6579203c6f70656e73757365406f70656e737573
652e6f72673e89013c041301020026021b03060b090807030204150208030416
020301021e01021780050253674dd405091d1f0495000a0910b88b2fd43dbdc2
84642b07ff6d78267736df2f1c4d120b936660c004d52a5c8e4cf1e8ce2be02e
f40154cc11087ff01be09b090a3ffa88096a36bc2d613174602e0fd39d3b450e
aee45be987b025e67f938b876a8e5822a2e79562b657fa6e61fb9fe877e1285a
122f2000e6d2a59485f01ccf1a5eafd1098468628cdced6851b6c1dd9f22eb0d
b509383b75b539bc647c6218bdacdb6b86aacf4beab6c9fb6335bb0e0da81a39
46fce4449f406c7f2eaa0c78f0feecca86a405e328c66ab040cfd136f14f04a4
e142a7178cc50981cf2cadf2fe1487e52109c303d8d7597a246742d547bc6736
a3edffff6b152cfe14c2d1465a104f9ae6fe206ea39c8a029a16cf4b737063f1
bfe5135d18
)
You can verify the work by running:
$ dig -t TYPE61 791f5d38084c356de75bcb606c65cd04be8b1928b6e364861c01ecce._openpgpkey.opensuse.org
or
$ resolvectl openpgp 'rpmfusion-buildsys@lists.rpmfusion.org`
Note, that having a domain secured by DNSSEC would be a nice thing, but this step is useful even without DNSSEC.¶
Miroslav Suchy, RHCA
Red Hat, Associate Manager, Community Packaging Tools, #brno, #fedora-buildsys