[opensuse-buildservice] extend signkey of project
Hi all, I need help with the extending of the validity of a project's signkey. As far as I know the signkeys will be automatically extended, when they reach their expiry time. I now have several projects, where the repo will not get published. I checked deeper and found the signkey of the project expired. osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1 Now my call for help: How do I extend the key's validity? I run OBS 2.6.10. Thank you for your input, Stefan -- Stefan Botter zu Hause Bremen
Am 01.09.2016 um 17:46 schrieb Stefan Botter:
Hi all,
I need help with the extending of the validity of a project's signkey. As far as I know the signkeys will be automatically extended, when they reach their expiry time. I now have several projects, where the repo will not get published. I checked deeper and found the signkey of the project expired. osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1
Now my call for help: How do I extend the key's validity?
I run OBS 2.6.10.
Thank you for your input,
Stefan
did you check your /etc/sign.conf ? I ran into same error (/usr/bin/sign: 256) when I changed the IPs of my build host (reduced 3 to 1) -- Christian ---------------------------------------------------- - Please do not 'CC' me on list mails. Just reply to the list :) ---------------------------------------------------- Der ultimative shop für Sportbekleidung und Zubehör http://www.sc24.de ----------------------------------------------------
On Thu, Sep 01, 2016 at 05:46:08PM +0200, Stefan Botter wrote:
I need help with the extending of the validity of a project's signkey. As far as I know the signkeys will be automatically extended, when they reach their expiry time. I now have several projects, where the repo will not get published. I checked deeper and found the signkey of the project expired. osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1
That's weird. I have no clue why the code doesn't take the hash algo from the signature instead of insisting that sign is called with a matching argument. I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
On Fri, Sep 02, 2016 at 11:27:08AM +0200, Michael Schroeder wrote:
I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey.
Now done with commit 688d5fa695c4756bf5c9825ed390112d23270bf0 in obs-sign. (Untested though, but it compiles ;) ) -- Michael Schroeder mls@suse.de SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi Michael, On Fri, 2 Sep 2016 11:27:08 +0200 Michael Schroeder <mls@suse.de> wrote:
On Thu, Sep 01, 2016 at 05:46:08PM +0200, Stefan Botter wrote:
osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1 : I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey.
Thank you for your reply, that sounds promising, but I am afraid I am not sure where to put the "-h sha265". As a command line option to osc signkey --extend <projectname> -h sha256 it will not work, as "-h" calls the help info for osc. Any help is much appreciated ;-) Stefan -- Stefan Botter zu Hause Bremen
On Fri, Sep 02, 2016 at 01:53:59PM +0200, Stefan Botter wrote:
Hi Michael,
On Fri, 2 Sep 2016 11:27:08 +0200 Michael Schroeder <mls@suse.de> wrote:
On Thu, Sep 01, 2016 at 05:46:08PM +0200, Stefan Botter wrote:
osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1 : I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey.
Thank you for your reply, that sounds promising, but I am afraid I am not sure where to put the "-h sha265".
Into the sign call the extendkey sub in bs_srcserver. I.e. change it from open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n"); to open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-h', 'sha256', '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n"); (around line 3574) Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hi all, hi Michael, On Fri, 2 Sep 2016 14:24:06 +0200 Michael Schroeder <mls@suse.de> wrote:
On Fri, Sep 02, 2016 at 01:53:59PM +0200, Stefan Botter wrote:
Hi Michael,
On Fri, 2 Sep 2016 11:27:08 +0200 Michael Schroeder <mls@suse.de> wrote:
On Thu, Sep 01, 2016 at 05:46:08PM +0200, Stefan Botter wrote:
osc signkey --extend terminates with Server returned an error: HTTP Error 400: Bad Request /usr/bin/sign: 256 a closer look in src_server.log shows an additional line self-sig is not made with sha1 : I guess it will work if you also specify a -h sha256 argument with the extend call, but I'll change the code to take the hash type from the pubkey.
Thank you for your reply, that sounds promising, but I am afraid I am not sure where to put the "-h sha265".
Into the sign call the extendkey sub in bs_srcserver. I.e. change it from
open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n");
to
open(F, '-|', $BSConfig::sign, @signargs, '-P', "$projectsdir/$projid.pkg/_signkey", '-h', 'sha256', '-x', @keyargs, "$projectsdir/$projid.pkg/_pubkey") || die("$BSConfig::sign: $!\n");
I want to follow this request up with the solution: Michael has kindly extended obs-sign(d) to deal with keys with sha hash algo other than sha256, these are now converted to sha256. I had more or less thoughtless created a gpg.conf in obs' gnupg directory forcing the hash algorithm to sha512, which worked so far, until the key expired. Extending did not work, but with the Michaels' changes this works now. The relevant change is in github and is dated Sep 9th. Thank you again, Michael! Greetings, Stefan -- Stefan Botter zu Hause Bremen
participants (3)
-
Christian -
Michael Schroeder -
Stefan Botter