[opensuse-buildservice] How to download/import the openSUSE buildkey for Debian/Ubuntu?
Hi, i'm glad, that my patch to generate a secure apt repository has been applied and is now working. What we need now is the possibility for Debian/Ubuntu people to import that key into their apt keyring. Something like wget http://opensuse.org/buildkey.pub apt-key add - < buildkey.pub or http://wiki.debian.org/SecureApt#Howtofindakey but it doesn't look like the obs keys can be found on keyservers. If not, people will get this warning: W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 85753AA5EEFEFDE9 W: You may want to run apt-get update to correct these problems I was not able to find out, where the obs public buildkey can be found. It is not in the openSUSE-build-key package. -- With best regards, Carsten Hoeger
On Wed, Nov 11, 2009 at 11:34:07AM +0100, Carsten Hoeger wrote:
i'm glad, that my patch to generate a secure apt repository has been applied and is now working.
What we need now is the possibility for Debian/Ubuntu people to import that key into their apt keyring.
Something like
wget http://opensuse.org/buildkey.pub apt-key add - < buildkey.pub
or
http://wiki.debian.org/SecureApt#Howtofindakey
but it doesn't look like the obs keys can be found on keyservers.
AFAIK the keys of the OBS projects are not pushed to any key servers. You need to download them from the particular project you want to use. Wouldn't it counted as flooding as soon as every new key would be published at the public keyservers? For rpm based repositories the key is stored at <project>/<distribution>/repodatarepomd.xml.key I've not checked how the layout of a Debian repository looks like. Lars -- Lars Müller [ˈlaː(r)z ˈmʏlɐ] Samba Team SUSE Linux, Maxfeldstraße 5, 90409 Nürnberg, Germany
On Wed, Nov 11, Lars Müller wrote:
i'm glad, that my patch to generate a secure apt repository has been applied and is now working.
What we need now is the possibility for Debian/Ubuntu people to import that key into their apt keyring.
Something like
wget http://opensuse.org/buildkey.pub apt-key add - < buildkey.pub
or
http://wiki.debian.org/SecureApt#Howtofindakey
but it doesn't look like the obs keys can be found on keyservers.
AFAIK the keys of the OBS projects are not pushed to any key servers. You need to download them from the particular project you want to use.
Wouldn't it counted as flooding as soon as every new key would be published at the public keyservers?
For rpm based repositories the key is stored at <project>/<distribution>/repodatarepomd.xml.key
Ah, interesting information. So it is part of the yum repository data.
I've not checked how the layout of a Debian repository looks like.
There's no such functionality. The Debian keys seem to be delivered with the install media and the gpg keyservers. -- With best regards, Carsten Hoeger
Hi Carsten, Am 11.11.2009 um 11:34 schrieb Carsten Hoeger:
Hi,
i'm glad, that my patch to generate a secure apt repository has been applied and is now working.
Me too; thanks for it.
What we need now is the possibility for Debian/Ubuntu people to import that key into their apt keyring.
Something like
wget http://opensuse.org/buildkey.pub apt-key add - < buildkey.pub
or
http://wiki.debian.org/SecureApt#Howtofindakey
but it doesn't look like the obs keys can be found on keyservers.
If not, people will get this warning:
W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 85753AA5EEFEFDE9 W: You may want to run apt-get update to correct these problems
I was not able to find out, where the obs public buildkey can be found. It is not in the openSUSE-build-key package.
For me, the following procedure worked: http://mirrorbrain.org/docs/installation/debian/#add-package-repository Maybe I was only lucky that the key server had the key? I don't know. I assumed that it has been uploaded there. Peter -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Nov 11, Peter Pöml wrote:
What we need now is the possibility for Debian/Ubuntu people to import that key into their apt keyring.
Something like
wget http://opensuse.org/buildkey.pub apt-key add - < buildkey.pub
or
http://wiki.debian.org/SecureApt#Howtofindakey
but it doesn't look like the obs keys can be found on keyservers.
If not, people will get this warning:
W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 85753AA5EEFEFDE9 W: You may want to run apt-get update to correct these problems
I was not able to find out, where the obs public buildkey can be found. It is not in the openSUSE-build-key package.
For me, the following procedure worked: http://mirrorbrain.org/docs/installation/debian/#add-package-repository
Maybe I was only lucky that the key server had the key? I don't know. I assumed that it has been uploaded there.
Ah, that simply proves, that I am to dumb to use gpg. Dumb enough to assume, that a --search-key will find keys. Not found: choeger@mobile:~> gpg --search-key 85753AA5EEFEFDE9 gpg: searching for "85753AA5EEFEFDE9" from hkp server wwwkeys.de.pgp.net gpg: key "85753AA5EEFEFDE9" not found on keyserver But there: choeger@mobile:~> gpg --recv-key 85753AA5EEFEFDE9 gpg: requesting key EEFEFDE9 from hkp server wwwkeys.de.pgp.net gpg: key EEFEFDE9: "openSUSE:Tools OBS Project openSUSE:Tools@build.opensuse.org" not changed gpg: Total number processed: 1 -- With best regards, Carsten Hoeger
On Wed, Nov 11, Peter Pöml wrote:
For me, the following procedure worked: http://mirrorbrain.org/docs/installation/debian/#add-package-repository
Maybe I was only lucky that the key server had the key? I don't know. I assumed that it has been uploaded there.
Well, that seem to work only for specific projects, like openSUSE:Tools. It does not work for my projects: Reading package lists... Done W: GPG error: http://download.opensuse.org Release: The following signatures couldn't be verified because the public key is not available: NO_PUBKEY 0EB11CDE44F9512B W: You may want to run apt-get update to correct these problems choeger@oxigian5:~$ sudo apt-key adv --keyserver hkp://keys.gnupg.net --recv-keys 0EB11CDE44F9512B Executing: gpg --ignore-time-conflict --no-options --no-default-keyring --secret-keyring /etc/apt/secring.gpg --trustdb-name /etc/apt/trustdb.gpg --keyring /etc/apt/trusted.gpg --keyserver hkp://keys.gnupg.net --recv-keys 0EB11CDE44F9512B gpg: requesting key 44F9512B from hkp server keys.gnupg.net gpgkeys: key 0EB11CDE44F9512B not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0 So IMO the best solution would be to also put the public build key into the generated debian repos in bs_publish. Michael, as far as I understand, this should then be added to createrepo_debian() in bs_publish: writestr("$extrep/public.key", undef, $pubkey) if $pubkey; But at least in my local obs, that does nothing... :-( -- With best regards, Carsten Hoeger
participants (3)
-
Carsten Hoeger
-
Lars Müller
-
Peter Pöml