[opensuse-buildservice] Missing public key with 'yum install' from my home project
Hi all Looks like there have been some changes to the way packages are signed in OBS. I only ever use the web UI and don't see anything there that addresses this problem ('yum update' output): Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 21ab0e4c What can I do? Where is this missing key? Where is this documented? Cheers JP --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wednesday 05 March 2008 03:10:24 wrote John Pye:
Hi all
Looks like there have been some changes to the way packages are signed in OBS. I only ever use the web UI and don't see anything there that addresses this problem ('yum update' output):
Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 21ab0e4c
What can I do? Where is this missing key? Where is this documented?
The key is part of the repository, tools based on libzypp offer to import it in this situation. You can manually import it (does yum offer a function for that ?) when loading the key from repodata/repomd.xml.key in each repository. These changes have been announced here: http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ? -- "Morality is merely an interpretation of certain phenomena — more precisely, a misinterpretation." - Friedrich Nietzsche Cristian Rodríguez R. Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/ --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, 5 Mar 2008, Cristian Rodríguez wrote:
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ?
I agree. I have found several keys can not be found on the keyservers. I really think they should be put on the public servers. Some keys are available and other are not. -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Cristian Rodríguez wrote:
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ?
I agree. I have found several keys can not be found on the keyservers. I really think they should be put on the public servers. Some keys are available and other are not.
This is the one I just found. gpg --keyserver pgp.mit.edu --recv-keys d986a842 There are others that are not on the public servers. I do not remember them all. The other two that I had on my more recent list are now available. -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Wed, Mar 05, 2008 at 09:28:08PM -0700, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Cristian Rodríguez wrote:
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ?
I agree. I have found several keys can not be found on the keyservers. I really think they should be put on the public servers. Some keys are available and other are not.
This is the one I just found.
gpg --keyserver pgp.mit.edu --recv-keys d986a842
There are others that are not on the public servers. I do not remember them all. The other two that I had on my more recent list are now available.
Only the ones manually uploaded by people are available. They were not automatically uploaded, since especially due to the home:* directories there are quite many of them. (But you can always upload them yourselfes.) Ciao, Marcus --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 6 Mar 2008, Marcus Meissner wrote:
On Wed, Mar 05, 2008 at 09:28:08PM -0700, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Cristian Rodríguez wrote:
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ?
I agree. I have found several keys can not be found on the keyservers. I really think they should be put on the public servers. Some keys are available and other are not.
This is the one I just found.
gpg --keyserver pgp.mit.edu --recv-keys d986a842
There are others that are not on the public servers. I do not remember them all. The other two that I had on my more recent list are now available.
Only the ones manually uploaded by people are available.
They were not automatically uploaded, since especially due to the home:* directories there are quite many of them.
(But you can always upload them yourselfes.)
But I do not have access to d986a842. My key is pub 1024D/277BDDE6 2001-05-31 uid Boyd Lynn Gerber (CEO/Owner ZENEZ) <gerberb@zenez.com> sub 1024g/FF185552 2001-05-31 I did an osc co on drwxr-xr-x 249 gerberb zenez 12288 2008-02-11 22:24 devel:languages:perl/ drwxr-xr-x 137 gerberb zenez 4096 2008-02-11 22:43 devel:languages:python/ drwxr-xr-x 6 gerberb zenez 4096 2008-02-11 22:46 games:roleplay/ drwxr-xr-x 11 gerberb zenez 4096 2008-02-11 22:03 home:gerberb/ drwxr-xr-x 72 gerberb zenez 4096 2008-02-11 23:10 server:mail/ I have the python libraries I use and work on in /home:gerberb because I do not have access to the devel:languages:python. So I build them in my local directory. The ones in the python and server:mail are out of date. So I am trying to created updated packages that I can then email to the proper person in-charge of them to update. I am having problems with the gpg keys on the BS and not being able to get them. That is why I think they should be uploaded. There are work arounds but I really prefer to build local. So that is where the problem lies. Not all BS keys are publically available. -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 6 Mar 2008, Boyd Lynn Gerber wrote:
On Thu, 6 Mar 2008, Marcus Meissner wrote:
On Wed, Mar 05, 2008 at 09:28:08PM -0700, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Boyd Lynn Gerber wrote:
On Wed, 5 Mar 2008, Cristian Rodríguez wrote:
Adrian Schröter escribió:
http://lists.opensuse.org/opensuse-announce/2008-01/msg00010.html
Why arent the new public keys sent automatically to a key server (i.e pgp.mit.edu ) at creation time ?
I agree. I have found several keys can not be found on the keyservers. I really think they should be put on the public servers. Some keys are available and other are not.
This is the one I just found.
gpg --keyserver pgp.mit.edu --recv-keys d986a842
There are others that are not on the public servers. I do not remember them all. The other two that I had on my more recent list are now available.
Only the ones manually uploaded by people are available.
They were not automatically uploaded, since especially due to the home:* directories there are quite many of them.
(But you can always upload them yourselfes.)
But I do not have access to d986a842.
My key is
pub 1024D/277BDDE6 2001-05-31 uid Boyd Lynn Gerber (CEO/Owner ZENEZ) <gerberb@zenez.com> sub 1024g/FF185552 2001-05-31
I did an osc co on
drwxr-xr-x 249 gerberb zenez 12288 2008-02-11 22:24 devel:languages:perl/ drwxr-xr-x 137 gerberb zenez 4096 2008-02-11 22:43 devel:languages:python/ drwxr-xr-x 6 gerberb zenez 4096 2008-02-11 22:46 games:roleplay/ drwxr-xr-x 11 gerberb zenez 4096 2008-02-11 22:03 home:gerberb/ drwxr-xr-x 72 gerberb zenez 4096 2008-02-11 23:10 server:mail/
I have the python libraries I use and work on in /home:gerberb because I do not have access to the devel:languages:python. So I build them in my local directory. The ones in the python and server:mail are out of date. So I am trying to created updated packages that I can then email to the proper person in-charge of them to update. I am having problems with the gpg keys on the BS and not being able to get them. That is why I think they should be uploaded. There are work arounds but I really prefer to build local. So that is where the problem lies. Not all BS keys are publically available.
The work around for local build is the --no-verify, which in my opinion is a security risk. I would really like to have the keys. -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thursday 06 March 2008 08:03:57 wrote Boyd Lynn Gerber: ...
The work around for local build is the --no-verify, which in my opinion is a security risk. I would really like to have the keys.
You may make want to make a feature request in bugzilla to download the key automatically in osc when starting the build. However, I am not sure if that might be a security risk as well, since you usually do trust this repo as well and it can take over your system (if you do not build with XEN). But there is no difference compared to automatic downloading the key from a keyserver and accepting it. bye adrian -- Adrian Schroeter SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) email: adrian@suse.de --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Thu, 6 Mar 2008, Adrian Schröter wrote:
On Thursday 06 March 2008 08:03:57 wrote Boyd Lynn Gerber:
The work around for local build is the --no-verify, which in my opinion is a security risk. I would really like to have the keys.
You may make want to make a feature request in bugzilla to download the key automatically in osc when starting the build.
done https://bugzilla.novell.com/show_bug.cgi?id=367666 -- Boyd Gerber <gerberb@zenez.com> ZENEZ 1042 East Fort Union #135, Midvale Utah 84047 --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi Adrian Adrian Schröter wrote:
On Wednesday 05 March 2008 03:10:24 wrote John Pye:
Hi all
Looks like there have been some changes to the way packages are signed in OBS. I only ever use the web UI and don't see anything there that addresses this problem ('yum update' output):
Total download size: 3.5 M Is this ok [y/N]: y Downloading Packages: warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 21ab0e4c
What can I do? Where is this missing key? Where is this documented?
The key is part of the repository, tools based on libzypp offer to import it in this situation.
You can manually import it (does yum offer a function for that ?) when loading the key from repodata/repomd.xml.key in each repository.
I worked out the problem. I needed to update my home:jdpipe.repo file in /etc/yum.repos.d then run 'yum clean all'. After this, YUM asked me if I wanted to install the required GPG key. I guess that the problem was that the .repo file needed to be updated because presumably it previously didn't contain the 'gpgkey=' line. So basically the problem comes about when a repository that wasn't signing packages starts signing packages but the users doesn't know that they needed to update the .repo file. Cheers JP --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Hi John, On Thu, Mar 06, 2008 at 12:31:19PM +1100, John Pye wrote:
warning: rpmts_HdrFromFdno: Header V3 DSA signature: NOKEY, key ID 21ab0e4c You can manually import it (does yum offer a function for that ?) when loading the key from repodata/repomd.xml.key in each repository.
I worked out the problem. I needed to update my home:jdpipe.repo file in /etc/yum.repos.d then run 'yum clean all'. After this, YUM asked me if I wanted to install the required GPG key. I guess that the problem was that the .repo file needed to be updated because presumably it previously didn't contain the 'gpgkey=' line.
So basically the problem comes about when a repository that wasn't signing packages starts signing packages but the users doesn't know that they needed to update the .repo file.
About a month ago, I posted a script to this list which goes through the repo files and adjusts the gpgkey= lines. Because I had the same problem... Peter -- "WARNING: This bug is visible to non-employees. Please be respectful!" SUSE LINUX Products GmbH Research & Development
participants (6)
-
Adrian Schröter -
Boyd Lynn Gerber -
Cristian Rodríguez -
Dr. Peter Poeml -
John Pye -
Marcus Meissner