Hello! Today I tried to use OBS to build for Fedora 39 on Debian Unstable (there runs osc). Verifying integrity of cached packages using keys from Fedora:39, OBS warning: /var/tmp/osbuild-packagecache/Fedora:39/standard/x86_64/alternatives-1.25-1.fc39.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 18b8e74c: NOKEY What is the proper way to add these keys? Should I use rpm --import? I have tried that with the key from https://fedoraproject.org/fedora.gpg, but osc doesn't seem to care. What is the proper way to handle that? -- kind regards Marco Send unsolicited bulk mail to 1710863334muell@cartoonies.org
Hi Marco, On 19.03.24 16:59 Marco Moock wrote:
Today I tried to use OBS to build for Fedora 39 on Debian Unstable (there runs osc).
What is the proper way to add these keys?
Only builds on the OBS are signed, if you are building locally you get packages with NOKEY warnings. But as you actively just built them it is safe to install them anyway. Or did I misunderstand you? Kind Regards Johannes
Am 20.03.2024 um 07:10:51 Uhr schrieb Johannes Kastl:
Only builds on the OBS are signed, if you are building locally you get packages with NOKEY warnings. But as you actively just built them it is safe to install them anyway.
Or did I misunderstand you?
Those warning occur for build dependencies /var/tmp/osbuild-packagecache/Fedora:39/standard/x86_64/alternatives-1.25-1.fc39.x86_64.rpm A lot more lines show up here. I don't want to build those packages, but it needs them to build my package. -- kind regards Marco Send unsolicited bulk mail to 1710915051muell@cartoonies.org
On Dienstag, 19. März 2024, 16:59:20 CET Marco Moock wrote:
Hello!
Today I tried to use OBS to build for Fedora 39 on Debian Unstable (there runs osc).
Verifying integrity of cached packages using keys from Fedora:39, OBS warning: /var/tmp/osbuild-packagecache/Fedora:39/standard/x86_64/alternatives-1.25-1.fc39.x86_64.rpm: Header V4 RSA/SHA256 Signature, key ID 18b8e74c: NOKEY
What is the proper way to add these keys? Should I use rpm --import? I have tried that with the key from https://fedoraproject.org/fedora.gpg, but osc doesn't seem to care.
What is the proper way to handle that?
You are using a chroot build environment. This is not safe against
evil attackes, so you would need to trust these rpms via import.
Or ignoring the reports (it did not abort, right?)
Or use a safe build environment for example with
osc build --vm-type=kvm ....
--
Adrian Schroeter
participants (3)
-
Adrian Schröter
-
Johannes Kastl
-
Marco Moock