Mailinglist Archive: opensuse-buildservice (95 mails)

< Previous Next >
Re: [opensuse-buildservice] OSB Debian InRelease signature
On 1/21/20 8:48 AM, Adrian Schröter wrote:
On Montag, 20. Januar 2020, 21:46:41 CET Michael Ströder wrote:
Thanks for also providing Debian support on OBS.

I'm starting to use it and it builds my packages just fine. I'd also
like to use download.opensuse.org directly as apt repo (Debian 10 aka
buster).

But when adding the repo to Debian with correct key "apt update"
complains about missing signatore for InRelease (probably wants
InRelease.gpg). The work-around is to add the repo with option
[trusted=yes] but obviously this is not what anybody wants.

hm, can you find out a bit more about that first?

Because InRelease is signed, just not detached signed in seperate file.

Ah, missed the inline signature.

I guess I'm hitting stronger signing algorithm suites being enforced on
Debian buster:

https://wiki.debian.org/Teams/Apt/Sha1Removal

In particular it seems repos shall be signed with RSA-SHA-256 or stronger:

https://wiki.debian.org/Teams/Apt/Sha1Removal#Fixing_half-broken_repositories

Official Debian repo keys are RSA-4096.

Ciao, Michael.
--
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-buildservice+owner@xxxxxxxxxxxx

< Previous Next >