https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c2 --- Comment #2 from Adrian Schröter 2014-07-11 12:11:06 UTC --- 1) I am not sure if we want this at all. I mean, when we use a SLES as external system to build an openSUSE distro appliance, we should we put the SLES key at all on the appliance? IMHO no key from the external system should be used for the appliance. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c4 --- Comment #4 from Marcus Schaefer 2014-07-11 13:14:27 UTC --- in reply to comment #2

I am not sure if we want this at all. I mean, when we use a SLES as external system to build an openSUSE distro appliance, why should we put the SLES key at all on the appliance?

don't understand why someone would need this. if you build openSUSE on SLES you need the openSUSE build keys to verify the key when kiwi installs the openSUSE packages. From todays perspective you would just install openSUSE-build-keys package on your SLES build host and be done. kiwi picks up the keys from the host and that's it. I think what Marcus wants is that kiwi takes the keys from the image root which is kind of hard because it's empty at the beginning. That's why I asked how he thinks this should work

IMHO no key from the external system should be used for the appliance.

That's a valid point. kiwi currently imports keys as "gpg-pubke*" from the build host. which means if the build host has e.g SLES and openSUSE keys installed it would import all of them which is not necessary. But does it hurt ? if we don't allow the import of keys from the host they need to be imported from somewhere else. But from where ? and last but not least if we don't import anything the build will not fail just warning messages from zypper at install time will be part of the build log which also brings me to the most important question what our goal is and what the benefit is if we don't want to allow importing build keys from the build host Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c6 --- Comment #6 from Marcus Schaefer 2014-07-11 13:40:23 UTC --- ok so for the first use case. The following should work: <package name="openSUSE-build-key"/> and in config.sh suseImportBuildKey done. yes it requires the user to have this in the custom config.sh script imho we did that by intention in the past but we could also change this and add the code which imports the keys to the config step called by kiwi in any case. Thoughts ? for the second part I agree the host imported keys taints the image at the moment. I suggest to remove them from the rpm database once kiwi has done its job if that is possible though (don't know if rpm imported keys can be removed) Thoughts ? -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c8 --- Comment #8 from Marcus Schaefer 2014-07-11 14:09:48 UTC --- ok so this is doable, thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c10 Marcus Meissner changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEEDINFO |NEW CC| |meissner@suse.com InfoProvider|meissner@suse.com | --- Comment #10 from Marcus Meissner 2014-07-14 09:50:49 UTC --- You could run the image root key import _after_ you installed all the RPMs into the new image root. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c12 Marcus Schaefer changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO InfoProvider| |meissner@suse.com --- Comment #12 from Marcus Schaefer 2014-07-14 14:37:58 UTC --- there is still one open question though. as explained and also tested by Robert one can import the installed build keys if there is the following call in config.sh suseImportBuildKey as it works I don't see a bug but the question is: should this be done automatically ? meaning as a user of I include the openSUSE-build-key package to the list should kiwi automatically import the key or not ? in my opinion just the install of the package should not auto add the key. if this would be intended I think we would have added such an import already as part of the package post script which seems not the case Thoughts -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c13 --- Comment #13 from Robert Schweikert 2014-07-14 15:14:33 UTC --- I think even in %post one cannot use rpm commands, thus the -build-key package cannot automatically import the keys. My gut reaction, having just been through this oddity, would be to do build key importing automatically somehow. However, as indicated in comment #5 it is reasonable for the user to expect to be able to build a system that has no keys. We can satisfy both needs, build a system with and without keys today. Thus, it is probably best to not try and implement any automagic mechanism as it inevitably lead to the request to be able to turn the magic off. I think we need to add some documentation with it's own section: "Adding signing keys" to the KIWI doc and go with that. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.

https://bugzilla.novell.com/show_bug.cgi?id=886791 https://bugzilla.novell.com/show_bug.cgi?id=886791#c15 Marcus Schaefer changed: What |Removed |Added ---------------------------------------------------------------------------- InfoProvider|meissner@suse.com |rschweikert@suse.com --- Comment #15 from Marcus Schaefer 2014-07-15 16:40:13 UTC --- @Robert: can you review: https://github.com/openSUSE/kiwi/pull/371 Thanks -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.