[opensuse-buildservice] Keys created for all top level projects
Hi build service users, all top-level projects (e.g. KDE, home:<user>,...) now have their own sign key. Projects further down the hierarchy inherit the sign key. We'll add some key management functions to the API soon. Enjoy, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tuesday 22 January 2008 12:45:54 wrote Michael Schroeder:
Hi build service users,
all top-level projects (e.g. KDE, home:<user>,...) now have their own sign key. Projects further down the hierarchy inherit the sign key.
We'll add some key management functions to the API soon.
This change will lead to popups for the user to trust the new key. YaST and zypper do handle this nicely as far as we tested. Your users might be confused by this, but this step is important to avoid the situation that you trust automatically all build service repos in your installer when you add on repo. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, 22 Jan 2008, 13:02:47 +0100, Adrian Schröter wrote:
On Tuesday 22 January 2008 12:45:54 wrote Michael Schroeder:
Hi build service users,
all top-level projects (e.g. KDE, home:<user>,...) now have their own sign key. Projects further down the hierarchy inherit the sign key.
We'll add some key management functions to the API soon.
This change will lead to popups for the user to trust the new key. YaST and zypper do handle this nicely as far as we tested.
Will these new keys be made publicly available/known to GPG key servers? This would be needed for some other package management tools (like apt-get). Right now, I cannot install the new packages from the mozilla/openSUSE-10.2 repository any more :-( Yes, I have run the command rpm --import http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep... but checking the sigs still complains: rpm -qp /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm -K /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#06213bd4) Cheers. l8er manfred --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jan 22, 2008 at 06:17:54PM +0100, Manfred Hollstein wrote:
Will these new keys be made publicly available/known to GPG key servers? This would be needed for some other package management tools (like apt-get). Right now, I cannot install the new packages from the mozilla/openSUSE-10.2 repository any more :-( Yes, I have run the command
rpm --import http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep...
but checking the sigs still complains:
rpm -qp /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm -K /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#06213bd4)
Hmm, it shouldn't: $ curl -q http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep... | gpg --list-packets [...] :user ID packet: "mozilla OBS Project <mozilla@build.opensuse.org>" :signature packet: algo 1, keyid 9D34EC9606213BD4 [...] Maybe the redirector redirected to some outdated file? Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jan 22, 2008 at 06:32:14PM +0100, Michael Schroeder wrote:
On Tue, Jan 22, 2008 at 06:17:54PM +0100, Manfred Hollstein wrote:
Will these new keys be made publicly available/known to GPG key servers? This would be needed for some other package management tools (like apt-get). Right now, I cannot install the new packages from the mozilla/openSUSE-10.2 repository any more :-( Yes, I have run the command
rpm --import http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep...
but checking the sigs still complains:
rpm -qp /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm -K /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#06213bd4)
Hmm, it shouldn't:
$ curl -q http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep... | gpg --list-packets [...] :user ID packet: "mozilla OBS Project <mozilla@build.opensuse.org>" :signature packet: algo 1, keyid 9D34EC9606213BD4 [...]
Maybe the redirector redirected to some outdated file?
I'd rule that out, since (in the /repositories tree) we don't redirect for files matching '.xml'. I actually grepped the logs a minute ago, because I am too stupid too read regular expressions...
Cheers, Michael.
Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
On Tue, Jan 22, 2008 at 08:41:40PM +0100, Dr. Peter Poeml wrote:
I'd rule that out, since (in the /repositories tree) we don't redirect for files matching '.xml'.
But the key ends in '.key'... Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jan 22, 2008 at 08:44:05PM +0100, Michael Schroeder wrote:
On Tue, Jan 22, 2008 at 08:41:40PM +0100, Dr. Peter Poeml wrote:
I'd rule that out, since (in the /repositories tree) we don't redirect for files matching '.xml'.
But the key ends in '.key'...
Yes, but the file still matches '.xml' (in the middle) ;-) Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
On Tuesday 22 January 2008 20:41:40 wrote Dr. Peter Poeml:
On Tue, Jan 22, 2008 at 06:32:14PM +0100, Michael Schroeder wrote:
On Tue, Jan 22, 2008 at 06:17:54PM +0100, Manfred Hollstein wrote:
Will these new keys be made publicly available/known to GPG key servers? This would be needed for some other package management tools (like apt-get). Right now, I cannot install the new packages from the mozilla/openSUSE-10.2 repository any more :-( Yes, I have run the command
rpm --import http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodat a/repomd.xml.key
but checking the sigs still complains:
rpm -qp /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm -K /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#06213bd4)
Hmm, it shouldn't:
$ curl -q http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/ repomd.xml.key | gpg --list-packets [...]
:user ID packet: "mozilla OBS Project <mozilla@build.opensuse.org>" :signature packet: algo 1, keyid 9D34EC9606213BD4
[...]
Maybe the redirector redirected to some outdated file?
I'd rule that out, since (in the /repositories tree) we don't redirect for files matching '.xml'.
I actually grepped the logs a minute ago, because I am too stupid too read regular expressions...
I have the same issue here. Actually in my case, building against Factory, it is even worth, because we do not sync it out even. So atm no chance the get the key :/ It looks we desperatly need the api calls to get the gpg keys and osc needs to handle them "somehow". "somehow": rpm --import did not work for JPR a minute ago. I am look at this atm. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jan 22, 2008 at 06:17:54PM +0100, Manfred Hollstein wrote:
On Tue, 22 Jan 2008, 13:02:47 +0100, Adrian Schröter wrote:
On Tuesday 22 January 2008 12:45:54 wrote Michael Schroeder:
Hi build service users,
all top-level projects (e.g. KDE, home:<user>,...) now have their own sign key. Projects further down the hierarchy inherit the sign key.
We'll add some key management functions to the API soon.
This change will lead to popups for the user to trust the new key. YaST and zypper do handle this nicely as far as we tested.
Will these new keys be made publicly available/known to GPG key servers? This would be needed for some other package management tools (like apt-get). Right now, I cannot install the new packages from the mozilla/openSUSE-10.2 repository any more :-( Yes, I have run the command
rpm --import http://download.opensuse.org/repositories/mozilla/openSUSE_10.2/repodata/rep...
but checking the sigs still complains:
rpm -qp /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm -K /var/cache/apt/archives/mozilla-xulrunner181_1.8.1.11-2.2_i586.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#06213bd4)
yum has the same problem as you: Public key for eddie-tool-0.35r881-6.1.i586.rpm is not installed Retrieving GPG key from http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... Importing GPG key 0xA1BFE509 "home:poeml OBS Project <home:poeml@build.opensuse.org>" Is this ok [y/N]: y Key imported successfully Import of key(s) didn't help, wrong key(s)? And on next try: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a1bfe509 Public key for eddie-tool-0.35r881-6.1.i586.rpm is not installed Retrieving GPG key from http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... GPG key at http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... (0xA1BFE509) is already installed The GPG keys listed for the "Project of Peter Poeml (SuSE_Linux_10.1)" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository. Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
On Tue, Jan 22, 2008 at 09:11:30PM +0100, Dr. Peter Poeml wrote:
yum has the same problem as you:
Public key for eddie-tool-0.35r881-6.1.i586.rpm is not installed Retrieving GPG key from http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... Importing GPG key 0xA1BFE509 "home:poeml OBS Project <home:poeml@build.opensuse.org>" Is this ok [y/N]: y Key imported successfully Import of key(s) didn't help, wrong key(s)?
And on next try:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID a1bfe509 Public key for eddie-tool-0.35r881-6.1.i586.rpm is not installed Retrieving GPG key from http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... GPG key at http://download.opensuse.org/repositories/home:/poeml/SuSE_Linux_10.1/repoda... (0xA1BFE509) is already installed
The GPG keys listed for the "Project of Peter Poeml (SuSE_Linux_10.1)" repository are already installed but they are not correct for this package. Check that the correct key URLs are configured for this repository.
Argh, it's because the signing is done with DSA, but it's an RSA key... M. --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, Jan 22, 2008 at 09:30:30PM +0100, Michael Schroeder wrote:
Argh, it's because the signing is done with DSA, but it's an RSA key...
I'm now recreating all keys with DSA instead of RSA. - advantages: will work with rpm-4.1 (which allowed only MD5 hashes for RSA). - disadvantages: no SHA256 signatures for newer rpms, as DSA is 160bit hashsize only. Sorry, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Markus Rex, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (4)
-
Adrian Schröter -
Dr. Peter Poeml -
Manfred Hollstein -
Michael Schroeder