我有两个几乎相同的 openSuSE 12.3 虚拟机,snip并且snap.
今天更新时,一个要求确认新的repository or package signing key,另一个没有。
我想确保我没有做错任何事情(以防其中一个以某种方式受到损害),特别是因为系统不要求密钥表明所有存储库都是最新的。
所以:
- zypper 在哪里安装这些密钥?
- 如何列出已安装的密钥?
- 我如何验证这些密钥确实有效?
系统要求信任密钥:
snap:/home/jeroenp # zypper repos -d
# | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ |
2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |
3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ |
4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ |
5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ |
6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ |
7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ |
8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ |
9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ |
10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ |
snap:/home/jeroenp # zypper update
Retrieving repository 'Security - openSUSE 12.3' metadata ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------[\]
New repository or package signing key received:
Key ID: 69D1B2AAEE3D166A
Key Name: security OBS Project <[email protected]>
Key Fingerprint: AAF3EB044C49C402A9E7B9AE69D1B2AAEE3D166A
Key Created: Mon May 26 11:04:43 2014
Key Expires: Wed Aug 3 11:04:42 2016
Repository: Security - openSUSE 12.3
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/? shows all options] (r): ^Csnap:/home/jeroenp # ^C
snap:/home/jeroenp #
系统不要求信任密钥:
snip:/home/jeroenp # zypper repos -d
# | Alias | Name | Enabled | Refresh | Priority | Type | URI | Service
---+---------------------------+------------------------------------+---------+---------+----------+--------+-------------------------------------------------------------------------------------------------+--------
1 | Security_-_openSUSE_12.3 | Security - openSUSE 12.3 | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/repositories/security/openSUSE_12.3/ |
2 | openSUSE-12.3-1.6 | openSUSE-12.3-1.6 | Yes | No | 99 | yast2 | cd:///?devices=/dev/disk/by-id/ata-VMware_Virtual_IDE_CDROM_Drive_10000000000000000001,/dev/sr0 |
3 | repo-debug | openSUSE-12.3-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/distribution/12.3/repo/oss/ |
4 | repo-debug-update | openSUSE-12.3-Update-Debug | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3/ |
5 | repo-debug-update-non-oss | openSUSE-12.3-Update-Debug-Non-Oss | No | Yes | 99 | NONE | http://download.opensuse.org/debug/update/12.3-non-oss/ |
6 | repo-non-oss | openSUSE-12.3-Non-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/non-oss/ |
7 | repo-oss | openSUSE-12.3-Oss | Yes | Yes | 99 | yast2 | http://download.opensuse.org/distribution/12.3/repo/oss/ |
8 | repo-source | openSUSE-12.3-Source | No | Yes | 99 | NONE | http://download.opensuse.org/source/distribution/12.3/repo/oss/ |
9 | repo-update | openSUSE-12.3-Update | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3/ |
10 | repo-update-non-oss | openSUSE-12.3-Update-Non-Oss | Yes | Yes | 99 | rpm-md | http://download.opensuse.org/update/12.3-non-oss/ |
snip:/home/jeroenp # zypper update
Loading repository data...
Reading installed packages...
The following package update will NOT be installed:
libudev0
Nothing to do.
snip:/home/jeroenp # snip:/home/jeroenp # zypper refreshRepository 'Security - openSUSE 12.3' is up to date.
Repository 'openSUSE-12.3-1.6' is up to date.
Repository 'openSUSE-12.3-Non-Oss' is up to date.
Repository 'openSUSE-12.3-Oss' is up to date.
Repository 'openSUSE-12.3-Update' is up to date.
Repository 'openSUSE-12.3-Update-Non-Oss' is up to date.
All repositories have been refreshed.
snip:/home/jeroenp #
答案1
上openSuSE 论坛, 用户罗比·利斯塔斯给了答案的开始哪个我完成了。总结如下:
Zypper 不会公开密钥的位置,但 openSuSE 上的存储库密钥文件位于您可以通过的列表中的/var/cache/zypp/raw/*/repodatawhere*是存储库的别名zypper repos。
我写了一个小bashrepomd_test.sh脚本基于脚本:托贾吉repodata您可以为每个目录这样调用:
for d in /var/cache/zypp/raw/*/repodata; do ~/repomd_test.sh $d; done
每个目录都有三个文件:
repomd.xml签名的存储库文件(这是 XML)repomd.xml.ascASCII“装甲”签名repomd.xmlrepomd.xml.keyrepomd.xml.asc用于创建签名的ASCII 公钥
然后对于repodata,它将添加repomd.xml.key到密钥环,然后验证repomd.xml确实对应于repomd.xml.asc签名并打印指纹和元信息(例如过期)。