[opensuse-buildservice] missing key and not found on keyserver
Hi, sometimes when building a package on the BS I get the following message: The following package could not be verified: /var/tmp/osbuild-packagecache/openSUSE:Factory/standard/i586/aaa_base-11.1-10003.3.i586.rpm: RSA sha1 (MD5) (PGP) md5 NOT OK (MISSING KEYS: PGP#3dbdc284) With the following advice: - If the key is missing, install it first. For example, do the following: gpg --keyserver pgp.mit.edu --recv-keys 3dbdc284 When I do that, the key is not found :( # gpg --keyserver pgp.mit.edu --recv-keys 3dbdc284 gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu gpgkeys: key 3DBDC284 not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0 # gpg --keyserver pgp.mit.edu --recv-keys a7c72b33 gpg: requesting key A7C72B33 from hkp server pgp.mit.edu gpgkeys: key A7C72B33 not found on keyserver When I try another it works.... How com that the keys of the buildserver are not found on the keyserver? Should I use a different keyserver? For now I use --no-verify to continue the build. Looking forward to an advice how to deal with this. -- Richard Bos Without a home the journey is endless -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Richard Bos wrote:
# gpg --keyserver pgp.mit.edu --recv-keys 3dbdc284 gpg: requesting key 3DBDC284 from hkp server pgp.mit.edu gpgkeys: key 3DBDC284 not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0
# gpg --keyserver pgp.mit.edu --recv-keys a7c72b33 gpg: requesting key A7C72B33 from hkp server pgp.mit.edu gpgkeys: key A7C72B33 not found on keyserver
When I try another it works.... How com that the keys of the buildserver are not found on the keyserver? Should I use a different keyserver?
No, it will not help. It is happening because no one uploaded the mentioned key to GPG keyserver. I'm not sure if this should be done automatically by OBS now, but I had to manually upload key for X11:xfce repository to GPG keyserver(s) a year ago.
For now I use --no-verify to continue the build. Looking forward to an advice how to deal with this.
PS: I use one trick. I add repo that contains problematic key with zypper and then I remove it immediately. This will add key to cache. -- Best Regards / S pozdravom, Pavol RUSNAK SUSE LINUX, s.r.o Package Maintainer Lihovarska 1060/12 PGP 0xA6917144 19000 Praha 9, CR prusnak[at]suse.cz http://www.suse.cz -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Pavol, Op Saturday 08 November 2008 13:17:16 schreef Pavol Rusnak:
When I try another it works.... How com that the keys of the buildserver are not found on the keyserver? Should I use a different keyserver?
No, it will not help. It is happening because no one uploaded the mentioned key to GPG keyserver. I'm not sure if this should be done automatically by OBS now, but I had to manually upload key for X11:xfce repository to GPG keyserver(s) a year ago.
For now I use --no-verify to continue the build. Looking forward to an advice how to deal with this.
PS: I use one trick. I add repo that contains problematic key with zypper and then I remove it immediately. This will add key to cache.
thanks, will do the same. -- Richard Bos Without a home the journey is endless -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Samstag 08 November 2008 13:36:27 Richard Bos wrote:
Pavol,
Op Saturday 08 November 2008 13:17:16 schreef Pavol Rusnak:
When I try another it works.... How com that the keys of the buildserver are not found on the keyserver? Should I use a different keyserver?
No, it will not help. It is happening because no one uploaded the mentioned key to GPG keyserver. I'm not sure if this should be done automatically by OBS now, but I had to manually upload key for X11:xfce repository to GPG keyserver(s) a year ago.
For now I use --no-verify to continue the build. Looking forward to an advice how to deal with this.
PS: I use one trick. I add repo that contains problematic key with zypper and then I remove it immediately. This will add key to cache.
thanks, will do the same.
just as a notice, having the keys on the server is one thing. The more important thing is that you need to import it into your local rpm key ring manually. And this is by intention, because you need to decide to trust the key. Keep in mind that the build script (like used by "osc build") is not a secure environment. Evil designed packages could break out, so it is not different to use a package to build or to install it security wise. However, the chroot setup should protect you from evil things which happens by accident (not with a specical crafted attack inside). bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (3)
-
Adrian Schröter -
Pavol Rusnak -
Richard Bos