add a new key signed by an old one to an OBS repo?
Hi OBS community,
today when running "zypper ref" on one of my raspberry pies, I saw the
following:
------8<-----snip----8<------
Retrieving: repomd.xml ..........................................[done]
Repository: openSUSE-Tumbleweed-Oss
Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284
Key Name: openSUSE Project Signing Key
On Fri, Sep 09, 2022 at 09:22:52AM +0200, Stefan Seyfried wrote:
Hi OBS community,
today when running "zypper ref" on one of my raspberry pies, I saw the following:
------8<-----snip----8<------ Retrieving: repomd.xml ..........................................[done] Repository: openSUSE-Tumbleweed-Oss Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 Key Name: openSUSE Project Signing Key
Key Algorithm: RSA 2048 Key Created: Mon May 5 08:37:40 2014 Key Expires: Thu May 2 08:37:40 2024 Rpm Name: gpg-pubkey-3dbdc284-53674dd4 Note: Received 1 new package signing key from repository "openSUSE-Tumbleweed-Oss":
Those additional keys are usually used to sign packages shipped by the repository. In order to validate those packages upon download and installation the new keys will be imported into the rpm database.
New: Key Fingerprint: AD48 5664 E901 B867 051A B15F 35A2 F86E 29B7 00A4 Key Name: openSUSE Project Signing Key
Key Algorithm: RSA 4096 Key Created: Mon Jun 20 14:03:14 2022 Key Expires: Fri Jun 19 14:03:14 2026 Rpm Name: gpg-pubkey-29b700a4-62b07e22 The repository metadata introducing the new keys have been signed and validated by the trusted key:
Repository: openSUSE-Tumbleweed-Oss Key Fingerprint: 22C0 7BA5 3417 8CD0 2EFE 22AA B88B 2FD4 3DBD C284 Key Name: openSUSE Project Signing Key
Key Algorithm: RSA 2048 Key Created: Mon May 5 08:37:40 2014 Key Expires: Thu May 2 08:37:40 2024 Rpm Name: gpg-pubkey-3dbdc284-53674dd4 ------8<-----snip----8<------ I would be *very* interested in doing something like that on my private OBS installation (replacing an old RSA1024 key with a current one without having all installations manually accept that key).
Is there documentation available on how to achieve this?
This is delivered via the repomd.xml file. repodata/repomd.xml: <tags> <content>pool</content> <content>gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284</content> <content>gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82</content> <content>gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4</content> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/i586</repo> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/x86_64</repo> <distro cpeid="cpe:/o:opensuse:opensuse:20220907">openSUSE Tumbleweed</distro> </tags> and the gpg-pubkey files are put into the / directory, e.g. here: http://download.opensuse.org/tumbleweed/repo/oss/ And zypper will auto-import those keys. Ciao, Marcus
Hi Marcus, thanks for the hint (and sorry for the double post, I had the old opesuse-buildservice@... adress still in my address book) On 09.09.22 11:07, Marcus Meissner wrote:
On Fri, Sep 09, 2022 at 09:22:52AM +0200, Stefan Seyfried wrote:
Hi OBS community,
today when running "zypper ref" on one of my raspberry pies, I saw the following:
------8<-----snip----8<------ Retrieving: repomd.xml ..........................................[done] ...>> Note: Received 1 new package signing key from repository "openSUSE-Tumbleweed-Oss":
...>> The repository metadata introducing the new keys have been signed and
validated by the trusted key: ... ------8<-----snip----8<------
I would be *very* interested in doing something like that on my private OBS installation (replacing an old RSA1024 key with a current one without having all installations manually accept that key).
Is there documentation available on how to achieve this?
This is delivered via the repomd.xml file.
repodata/repomd.xml: <tags> <content>pool</content> <content>gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284</content> <content>gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82</content> <content>gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4</content> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/i586</repo> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/x86_64</repo> <distro cpeid="cpe:/o:opensuse:opensuse:20220907">openSUSE Tumbleweed</distro> </tags>
and the gpg-pubkey files are put into the / directory, e.g. here:
http://download.opensuse.org/tumbleweed/repo/oss/
And zypper will auto-import those keys.
Ok, so this is created by some custom publishing hook or such and not by plain "configure $FEATURE in the obs config" I guess? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman
On Sep 09 2022, Stefan Seyfried wrote:
Ok, so this is created by some custom publishing hook or such and not by plain "configure $FEATURE in the obs config" I guess?
The contents of the Factory repository is generated by openSUSE:Factory/000product, not by the builtin OBS publisher. -- Andreas Schwab, schwab@linux-m68k.org GPG Key fingerprint = 7578 EB47 D4E5 4D69 2510 2552 DF73 E780 A9DA AEC1 "And now for something completely different."
On Fri, Sep 09, 2022 at 01:04:36PM +0200, Stefan Seyfried wrote:
Hi Marcus,
thanks for the hint (and sorry for the double post, I had the old opesuse-buildservice@... adress still in my address book)
On 09.09.22 11:07, Marcus Meissner wrote:
On Fri, Sep 09, 2022 at 09:22:52AM +0200, Stefan Seyfried wrote:
Hi OBS community,
today when running "zypper ref" on one of my raspberry pies, I saw the following:
------8<-----snip----8<------ Retrieving: repomd.xml ..........................................[done] ...>> Note: Received 1 new package signing key from repository "openSUSE-Tumbleweed-Oss":
...>> The repository metadata introducing the new keys have been signed and
validated by the trusted key: ... ------8<-----snip----8<------
I would be *very* interested in doing something like that on my private OBS installation (replacing an old RSA1024 key with a current one without having all installations manually accept that key).
Is there documentation available on how to achieve this?
This is delivered via the repomd.xml file.
repodata/repomd.xml: <tags> <content>pool</content> <content>gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284</content> <content>gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82</content> <content>gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4</content> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/i586</repo> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/x86_64</repo> <distro cpeid="cpe:/o:opensuse:opensuse:20220907">openSUSE Tumbleweed</distro> </tags>
and the gpg-pubkey files are put into the / directory, e.g. here:
http://download.opensuse.org/tumbleweed/repo/oss/
And zypper will auto-import those keys.
Ok, so this is created by some custom publishing hook or such and not by plain "configure $FEATURE in the obs config" I guess?
I think its a custom hook. Thats for the buildservice people to answer. Ciao, Marcus
participants (3)
-
Andreas Schwab
-
Marcus Meissner
-
Stefan Seyfried