Thanks for the response, Adrian. I'm afraid I'm not quite over the line with this problem and hoping you can clear up the remaining issues I have. Using the information at this link [https://en.opensuse.org/openSUSE:Build_Service_Signer], I have examined the following files on our OBS host and included what I believe to be the relevant lines below: ### /usr/lib/obs/server/BSConfig.pm ### #No package signing server our $sign = "/usr/bin/sign"; #Extend sign call with project name as argument "--project $NAME" #our $sign_project = 1; #Global sign key our $keyfile = "/obs/obs-default-gpg.asc"; #Create a key by default for new projects, if top level have not one our $forceprojectkeys = 1; ### /etc/sign.conf ### user: defaultkey@localobs server: 127.0.0.1 allowuser: obsrun allow: 127.0.0.1 phrases: /obs/gnupg/phrases Based on the configuration in /etc/sign.conf, I located the GPG key with the matching e-mail (defaultkey@localobs) and attempted to decrypt the desired project signing key: $ gpg --homedir /obs/gnupg --decrypt _signkey gpg: no valid OpenPGP data found. gpg: decrypt_message failed: Unknown system error My experience with GPG is limited, but the error to me suggests that the file is not of the format expected. As mentioned in my last post, the content of the _signkey is simply a long string of hexadecimal chars: $ file _signkey _signkey: ASCII text, with very long lines Whereas the output of a test file encrypted with the above GPG key produces the following file output: $ file test.gpg test.gpg: data To compound the problem, despite the clues in the configuration files, I'm not sure that the key I have located is in fact the master key. The content of the public key '/obs/obs-default-gpg.asc' ($keyfile listed in /usr/lib/obs/serverBSConfig.pm) differs from the public key exported from what I believe should be the master signing key (user: defaultkey@localobs listed in /etc/sign.conf): gpg --homedir /obs/gnupg --export --armor defaultkey@localobs Apologies if I am missing something obvious. Any further help would be greatly appreciated. Thanks On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian@suse.de> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick Walter:
Hi, hoping somebody on the list can help me with a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures I need to support. However, I also have some RPMs that are built by Jenkins. Ideally, I would like to be able to have the packages built by Jenkins signed using the private GPG key in use under OBS and collect them under a single YUM repo. I have found what I believe to be the signing (private GPG) key on OBS:
/obs/projects/<my-project>/_signkey
However, it is not in the format I expected (i.e. with a '-----BEGIN PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it is simply a long string of hexadecimal chars. So, this has left me with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to keep the master key on a special protected system, but you can still backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG format I can use with rpm --addsign?
decrypt it with your instance master key
--
Adrian Schroeter email: adrian@suse.de
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu, Graham Norton, HRB 21284 (AG Nürnberg) Maxfeldstraße 5 90409 Nürnberg Germany
-- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org