Mailinglist Archive: opensuse-buildservice (126 mails)

< Previous Next >
Re: [opensuse-buildservice] Exporting OBS Package Signing Key
On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian@xxxxxxx> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to

I am currently using OBS to build RPMs for a variety of architectures
I need to support. However, I also have some RPMs that are built by
Jenkins. Ideally, I would like to be able to have the packages built
by Jenkins signed using the private GPG key in use under OBS and
collect them under a single YUM repo. I have found what I believe to
be the signing (private GPG) key on OBS:


However, it is not in the format I expected (i.e. with a '-----BEGIN
PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it
is simply a long string of hexadecimal chars. So, this has left me
with two questions:

1. Is this indeed the OBS key used to sign my RPMs under this project?

yes, but it is encrypted itself with the OBS master key. (allows to
keep the master key on a special protected system, but you can still
backup the backend server with the keys).

2. If so, how can I export this _signkey to a GPG format I can use
with rpm --addsign?

decrypt it with your instance master key


Adrian Schroeter
email: adrian@xxxxxxx

SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip
Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg)
Maxfeldstraße 5
90409 Nürnberg

Hi, I would greatly appreciate it if someone could please explain to
me the following:

I understand the each project signing key is encrypted with the OBS
master key. However, the project signing key
(/obs/projects/<my-project>/_signkey) does not appear to be of an
ASCII armoured nor binary OpenPGP format: it is simply a series of
hexadecimal chars.

How do I decrypt this key? I receive the following error when
attempting to decrypt the project key with the master key:

# gpg --homedir . --decrypt /obs/projects/my_project/_signkey
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error

Is there some encoding applied to this file that I need to decode
prior to decryption with GPG? Am I missing some option with my GPG
invocation? I've scoured the web/mailing list/available documentation
and hit a wall. Any clues?

To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >
Follow Ups