[Bug 886791] New: kiwi creates images without pre imported keys
https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c0 Summary: kiwi creates images without pre imported keys Classification: openSUSE Product: openSUSE 13.1 Version: Final Platform: Other OS/Version: Other Status: NEW Severity: Major Priority: P5 - None Component: Other AssignedTo: ms@suse.com ReportedBy: meissner@suse.com QAContact: qa-bugs@suse.de CC: adrian@suse.com, rschweikert@suse.com Found By: --- Blocker: --- while looking at Roberts problems with the GCE images osc bl Cloud:Images openSUSE-13.1-GCE-Guest images x86_64 reports: [ 151s] Jul-10 14:54:25 <1> : Importing build keys... [ 151s] Jul-10 14:54:25 <2> : Can't find dumpsigs on host system and does not import any GPG keys at all and the created images are without any keys. One reason for this is: there is no openSUSE-build-key installed in the kiwi build chroot. (only in the kiwi images build root) But the core problem seems more in KIWI: KIWI seems buggy here. * /usr/share/kiwi/modules/KIWIConfig.sh function suseImportBuildKey uses the build root and not the image root to look for keys. (does not seem to be called by anyone?) * /usr/share/kiwi/modules/KIWIManager.pm sub setupPackageKeys { my $keydir = '/usr/lib/rpm/gnupg/keys'; uses the build root and not the image root to look for keys. $keydir might need a $root/ included. (also dumpsigs is not installed in the image root), but we only use the keydirectory now, so it is not strictly required). -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c1
--- Comment #1 from Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c2
--- Comment #2 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c3
Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c4
--- Comment #4 from Marcus Schaefer
I am not sure if we want this at all. I mean, when we use a SLES as external system to build an openSUSE distro appliance, why should we put the SLES key at all on the appliance?
don't understand why someone would need this. if you build openSUSE on SLES you need the openSUSE build keys to verify the key when kiwi installs the openSUSE packages. From todays perspective you would just install openSUSE-build-keys package on your SLES build host and be done. kiwi picks up the keys from the host and that's it. I think what Marcus wants is that kiwi takes the keys from the image root which is kind of hard because it's empty at the beginning. That's why I asked how he thinks this should work
IMHO no key from the external system should be used for the appliance.
That's a valid point. kiwi currently imports keys as "gpg-pubke*" from the build host. which means if the build host has e.g SLES and openSUSE keys installed it would import all of them which is not necessary. But does it hurt ? if we don't allow the import of keys from the host they need to be imported from somewhere else. But from where ? and last but not least if we don't import anything the build will not fail just warning messages from zypper at install time will be part of the build log which also brings me to the most important question what our goal is and what the benefit is if we don't want to allow importing build keys from the build host Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c5
--- Comment #5 from Robert Schweikert
Can you explain the details what is wrong with it and what the expected behavior should be ?
From a user perspective the expected behavior would be that if I include
<package name="openSUSE-build-key"/> in the image description the resulting image will have the keys setup such that "zypper in" or "zypper up" does not generate any messages about importing any keys, as long as I stick to the "official" repositories. This is not happening today. IMHO this is completely independent of the build system. Whatever keys are on the build system are only of interest while we install the packages marked as "bootstrap". After that we run the package installation inside the chroot, i.e. what will become the root of the new image. Thus, here are 2 use cases: 1.) The user wants to build an image with he keys included (my current case) and thus includes the -build-key package in the image description 2.) The user wants a system that does not have the build keys, i.e. the image user has to decide for themselves to accept repository keys or not. In this case the image builder would NOT include the -build-key package in the image description. Thus kiwi should not leave any traces of the keys. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c6
--- Comment #6 from Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c7
--- Comment #7 from Adrian Schröter
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c8
--- Comment #8 from Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c9
--- Comment #9 from Robert Schweikert
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c10
Marcus Meissner
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c11
--- Comment #11 from Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c12
Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c
Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c13
--- Comment #13 from Robert Schweikert
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c14
--- Comment #14 from Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c15
Marcus Schaefer
https://bugzilla.novell.com/show_bug.cgi?id=886791
https://bugzilla.novell.com/show_bug.cgi?id=886791#c16
Marcus Schaefer
participants (1)
-
bugzilla_noreply@novell.com