Unconditional rebuild of project - or re-signing every package in a project
Hi everyone, I need help on a private instance of OBS: Packman (PMBS). Due to oversight/lazyness the standard GPG key expired a while ago. Once I extended the key, one of the projects could not be signed anymore. Most probably while fixing the expired-key-problem I removed a very old standard key from the keyring, which in turn signed the project key of the now failing project. I could get the project working and signing by issuing a new project key using 'osc signkey ...'. So far everything is ok, but with Packman we have an external publishing mechanism (through publishing_hooks), which stages published repos to an external server, where the packages are re-signed with the Packman RPM key. Part of the re-signing is a check for the original key used by PMBS. If they used key on PMBS is not in the keyring of the re-signer, the packages are not re-signed and hence not published. Totally our problem. The way out for me is either a) allow the new key on the re-signer, or b) change the project key on PMBS for said project. Option "a" is easy, but I am not allowed to do that, and our fellow with access is not available at the moment. I chose option "b" using a modified already known key and injected it to the project using 'obs_admin -update-project-signing-key ...'. This is working perfectly. Now the problem at hand: New packages are signed, re-signed and published through our workflow as expected. All other packages built since the issue with the renewed project signing key started and before I set the actual working project key are still signed with the "unknown" key and are not re-singed and published. I see three possible ways out of this situation: 1. wait for a occasional rebuild of the respective package, 2. rebuild the whole project unconditionally, or 3. re-sign all packages form the project with the new project key, and republish through PMBS. Solution 1 is of course the "natural" way, but it is unclear, when rebuild and publishing happens, and it is sort of random - lame :) Solution 2 is acceptable, but is costlier than 3. Solution 3 seems the fastest, but I am unsure, if this can be triggered from PMBS. TL;DR: How can I trigger an unconditional rebuild of all packages inside a project? Can I trigger only a re-signing of packages in a project, and trigger a fresh publishing from PMSB? Any help is greatly appreciated! TIA, Stefan PS: The project in question is "Multimedia", which seems to be quite popular :) -- Stefan Botter zu Hause Bremen
Am 21.03.21 um 10:05 schrieb Stefan Botter: Hi Stefan,
Solution 2 is acceptable, but is costlier than 3.
osc rebuildpac --all <PROJECT> But if a package rebuilds as "unchanged", you still won't get your new signing key. So to avoid that, use Support: !build-compare in your project config while the rebuild is going on.
Solution 3 seems the fastest, but I am unsure, if this can be triggered from PMBS.
I'm not aware of any such option at least. Greetings, Stephan -- Lighten up, just enjoy life, smile more, laugh more, and don't get so worked up about things. Kenneth Branagh
Am 21.03.21 um 10:05 schrieb Stefan Botter: Hi Stefan,
Solution 2 is acceptable, but is costlier than 3.
osc rebuildpac --all <PROJECT> But if a package rebuilds as "unchanged", you still won't get your new signing key. So to avoid that, use Support: !build-compare in your project config while the rebuild is going on.
Solution 3 seems the fastest, but I am unsure, if this can be triggered from PMBS.
I'm not aware of any such option at least. Greetings, Stephan -- Lighten up, just enjoy life, smile more, laugh more, and don't get so worked up about things. Kenneth Branagh
participants (2)
-
Stefan Botter -
Stephan Kulow