Mailinglist Archive: opensuse-buildservice (132 mails)

< Previous Next >
Re: [opensuse-buildservice] Exporting OBS Package Signing Key
  • From: Nick Walter <smtp.nw@xxxxxxxxx>
  • Date: Sat, 31 Jan 2015 13:53:58 +0000
  • Message-id: <>
Thanks for the response, Adrian. I'm afraid I'm not quite over the
line with this problem and hoping you can clear up the remaining
issues I have.

Using the information at this link
[], I have
examined the following files on our OBS host and included what I
believe to be the relevant lines below:

### /usr/lib/obs/server/ ###

#No package signing server
our $sign = "/usr/bin/sign";
#Extend sign call with project name as argument "--project $NAME"
#our $sign_project = 1;
#Global sign key
our $keyfile = "/obs/obs-default-gpg.asc";
#Create a key by default for new projects, if top level have not one
our $forceprojectkeys = 1;

### /etc/sign.conf ###

user: defaultkey@localobs
allowuser: obsrun
phrases: /obs/gnupg/phrases

Based on the configuration in /etc/sign.conf, I located the GPG key
with the matching e-mail (defaultkey@localobs) and attempted to
decrypt the desired project signing key:

$ gpg --homedir /obs/gnupg --decrypt _signkey
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error

My experience with GPG is limited, but the error to me suggests that
the file is not of the format expected. As mentioned in my last post,
the content of the _signkey is simply a long string of hexadecimal

$ file _signkey
_signkey: ASCII text, with very long lines

Whereas the output of a test file encrypted with the above GPG key
produces the following file output:

$ file test.gpg
test.gpg: data

To compound the problem, despite the clues in the configuration files,
I'm not sure that the key I have located is in fact the master key.
The content of the public key '/obs/obs-default-gpg.asc' ($keyfile
listed in /usr/lib/obs/ differs from the public key
exported from what I believe should be the master signing key (user:
defaultkey@localobs listed in /etc/sign.conf):

gpg --homedir /obs/gnupg --export --armor defaultkey@localobs

Apologies if I am missing something obvious. Any further help would be
greatly appreciated.


On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to

I am currently using OBS to build RPMs for a variety of architectures
I need to support. However, I also have some RPMs that are built by
Jenkins. Ideally, I would like to be able to have the packages built
by Jenkins signed using the private GPG key in use under OBS and
collect them under a single YUM repo. I have found what I believe to
be the signing (private GPG) key on OBS:


However, it is not in the format I expected (i.e. with a '-----BEGIN
PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it
is simply a long string of hexadecimal chars. So, this has left me
with two questions:

1. Is this indeed the OBS key used to sign my RPMs under this project?

yes, but it is encrypted itself with the OBS master key. (allows to
keep the master key on a special protected system, but you can still
backup the backend server with the keys).

2. If so, how can I export this _signkey to a GPG format I can use
with rpm --addsign?

decrypt it with your instance master key


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip
Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >