[Bug 886791] New: kiwi creates images without pre imported keys
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c0 Summary: kiwi creates images without pre imported keys Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: ms@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: adrian@suse.com, rschweikert@suse.com Found By: --- Blocker: --- while looking at Roberts problems with the GCE images osc bl Cloud:Images openSUSE-13.1-GCE-Guest images x86_64 reports: [ 151s] Jul-10 14:54:25 <1> : Importing build keys... [ 151s] Jul-10 14:54:25 <2> : Can't find dumpsigs on host system and does not import any GPG keys at all and the created images are without any keys. One reason for this is: there is no openSUSE-build-key installed in the kiwi build chroot. (only in the kiwi images build root) But the core problem seems more in KIWI: KIWI seems buggy here. * /usr/share/kiwi/modules/KIWIConfig.sh function suseImportBuildKey uses the build root and not the image root to look for keys. (does not seem to be called by anyone?) * /usr/share/kiwi/modules/KIWIManager.pm sub setupPackageKeys { my $keydir = '/usr/lib/rpm/gnupg/keys'; uses the build root and not the image root to look for keys. $keydir might need a $root/ included. (also dumpsigs is not installed in the image root), but we only use the keydirectory now, so it is not strictly required). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c1 --- Comment #1 from Marcus Schaefer <ms@suse.com> 2014-07-11 12:05:36 UTC --- yes some glitches here, some words on your findings: 1. openSUSE-build-key not installed by the buildservice. This is something we can solve in the kiwi spec file in the -requires packages which are used by the buildservice internally. I'll take a look at it. In the meantime you can set: Substitute: kiwi-image:vmx kiwi-desc-vmxboot-requires openSUSE-build-key 2. suseImportBuildKey function is just a service function for free use in the kiwi config.sh script. The config.sh script always runs chrooted inside the image root. Thus I don't see a bug here 3. setupPackageKeys seems to be buggy as you described it. Will also take a look at this one Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c2 --- Comment #2 from Adrian Schröter <adrian@suse.com> 2014-07-11 12:11:06 UTC --- 1) I am not sure if we want this at all. I mean, when we use a SLES as external system to build an openSUSE distro appliance, we should we put the SLES key at all on the appliance? IMHO no key from the external system should be used for the appliance. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c3 Marcus Schaefer <ms@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #3 from Marcus Schaefer <ms@suse.com> 2014-07-11 12:50:17 UTC --- while looking at the code I wondered why you want kiwi to read the build keys from the image root tree ? when kiwi starts to create a new root the new root directory is empty and there can't be any keys inside. Thus I don't see another chance to import the keys the build host provides. That's how setupPackageKeys is implemented Can you explain the details what is wrong with it and what the expected behavior should be ? Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c4 --- Comment #4 from Marcus Schaefer <ms@suse.com> 2014-07-11 13:14:27 UTC --- in reply to comment #2
I am not sure if we want this at all. I mean, when we use a SLES as external system to build an openSUSE distro appliance, why should we put the SLES key at all on the appliance?
don't understand why someone would need this. if you build openSUSE on SLES you need the openSUSE build keys to verify the key when kiwi installs the openSUSE packages. From todays perspective you would just install openSUSE-build-keys package on your SLES build host and be done. kiwi picks up the keys from the host and that's it. I think what Marcus wants is that kiwi takes the keys from the image root which is kind of hard because it's empty at the beginning. That's why I asked how he thinks this should work
IMHO no key from the external system should be used for the appliance.
That's a valid point. kiwi currently imports keys as "gpg-pubke*" from the build host. which means if the build host has e.g SLES and openSUSE keys installed it would import all of them which is not necessary. But does it hurt ? if we don't allow the import of keys from the host they need to be imported from somewhere else. But from where ? and last but not least if we don't import anything the build will not fail just warning messages from zypper at install time will be part of the build log which also brings me to the most important question what our goal is and what the benefit is if we don't want to allow importing build keys from the build host Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c5 --- Comment #5 from Robert Schweikert <rschweikert@suse.com> 2014-07-11 13:23:40 UTC --- (In reply to comment #3)
Can you explain the details what is wrong with it and what the expected behavior should be ?
From a user perspective the expected behavior would be that if I include
<package name="openSUSE-build-key"/> in the image description the resulting image will have the keys setup such that "zypper in" or "zypper up" does not generate any messages about importing any keys, as long as I stick to the "official" repositories. This is not happening today. IMHO this is completely independent of the build system. Whatever keys are on the build system are only of interest while we install the packages marked as "bootstrap". After that we run the package installation inside the chroot, i.e. what will become the root of the new image. Thus, here are 2 use cases: 1.) The user wants to build an image with he keys included (my current case) and thus includes the -build-key package in the image description 2.) The user wants a system that does not have the build keys, i.e. the image user has to decide for themselves to accept repository keys or not. In this case the image builder would NOT include the -build-key package in the image description. Thus kiwi should not leave any traces of the keys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c6 --- Comment #6 from Marcus Schaefer <ms@suse.com> 2014-07-11 13:40:23 UTC --- ok so for the first use case. The following should work: <package name="openSUSE-build-key"/> and in config.sh suseImportBuildKey done. yes it requires the user to have this in the custom config.sh script imho we did that by intention in the past but we could also change this and add the code which imports the keys to the config step called by kiwi in any case. Thoughts ? for the second part I agree the host imported keys taints the image at the moment. I suggest to remove them from the rpm database once kiwi has done its job if that is possible though (don't know if rpm imported keys can be removed) Thoughts ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c7 --- Comment #7 from Adrian Schröter <adrian@suse.com> 2014-07-11 13:52:42 UTC --- imported keys can be removed via "rpm -e gpg-pubkey-$ID" -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c8 --- Comment #8 from Marcus Schaefer <ms@suse.com> 2014-07-11 14:09:48 UTC --- ok so this is doable, thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c9 --- Comment #9 from Robert Schweikert <rschweikert@suse.com> 2014-07-11 21:34:06 UTC --- Adding suseImportBuildKey to config.sh did the trick. Looks like some documentation is needed.... -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c10 Marcus Meissner <meissner@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |meissner@suse.com InfoProvider|meissner@suse.com | --- Comment #10 from Marcus Meissner <meissner@suse.com> 2014-07-14 09:50:49 UTC --- You could run the image root key import _after_ you installed all the RPMs into the new image root. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c11 --- Comment #11 from Marcus Schaefer <ms@suse.com> 2014-07-14 14:33:18 UTC --- ok I have fixed the possible tainting of the system with host rpm keys commit a225a172d6b6d472a0484aa91a178d4e3ac1e030 Author: Marcus Schäfer <ms@suse.de> Date: Mon Jul 14 15:48:36 2014 +0200 - Don't taint the system with rpm host package keys (bnc #886791) * kiwi imports host rpm package keys during preparation of the new root filesystem. This is ok but after preparation these keys should be removed again because we don't want to have host keys in the new root filesystem -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c12 Marcus Schaefer <ms@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #12 from Marcus Schaefer <ms@suse.com> 2014-07-14 14:37:58 UTC --- there is still one open question though. as explained and also tested by Robert one can import the installed build keys if there is the following call in config.sh suseImportBuildKey as it works I don't see a bug but the question is: should this be done automatically ? meaning as a user of I include the openSUSE-build-key package to the list should kiwi automatically import the key or not ? in my opinion just the install of the package should not auto add the key. if this would be intended I think we would have added such an import already as part of the package post script which seems not the case Thoughts -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c Marcus Schaefer <ms@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 - None |P3 - Medium Severity|Major |Normal -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c13 --- Comment #13 from Robert Schweikert <rschweikert@suse.com> 2014-07-14 15:14:33 UTC --- I think even in %post one cannot use rpm commands, thus the -build-key package cannot automatically import the keys. My gut reaction, having just been through this oddity, would be to do build key importing automatically somehow. However, as indicated in comment #5 it is reasonable for the user to expect to be able to build a system that has no keys. We can satisfy both needs, build a system with and without keys today. Thus, it is probably best to not try and implement any automagic mechanism as it inevitably lead to the request to be able to turn the magic off. I think we need to add some documentation with it's own section: "Adding signing keys" to the KIWI doc and go with that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c14 --- Comment #14 from Marcus Schaefer <ms@suse.com> 2014-07-14 15:29:27 UTC --- would be ok for me, I'll write something as a pull request and would like to ask you for the review... will be on travel the next two days so most probably not before Thu/Fri -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c15 Marcus Schaefer <ms@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|meissner@suse.com |rschweikert@suse.com --- Comment #15 from Marcus Schaefer <ms@suse.com> 2014-07-15 16:40:13 UTC --- @Robert: can you review: https://github.com/openSUSE/kiwi/pull/371 Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c16 Marcus Schaefer <ms@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |RESOLVED InfoProvider|rschweikert@suse.com | Resolution| |FIXED --- Comment #16 from Marcus Schaefer <ms@suse.com> 2014-07-18 15:04:32 UTC --- documentation is in now, thanks Robert commit c4759e7ee8deba7b92ff975cbd525329cc73bff1 Author: Marcus Schäfer <ms@suse.de> Date: Tue Jul 15 18:36:11 2014 +0200 - DB: update documentation (bnc #886791) * Added Chapter how to include rpm signing keys closing -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@novell.com