Hi Marcus, thanks for the hint (and sorry for the double post, I had the old opesuse-buildservice@... adress still in my address book) On 09.09.22 11:07, Marcus Meissner wrote:

On Fri, Sep 09, 2022 at 09:22:52AM +0200, Stefan Seyfried wrote:

...

Hi OBS community,

today when running "zypper ref" on one of my raspberry pies, I saw the following:

------8<-----snip----8<------ Retrieving: repomd.xml ..........................................[done] ...>> Note: Received 1 new package signing key from repository "openSUSE-Tumbleweed-Oss":

...>> The repository metadata introducing the new keys have been signed and

...

validated by the trusted key: ... ------8<-----snip----8<------

I would be *very* interested in doing something like that on my private OBS installation (replacing an old RSA1024 key with a current one without having all installations manually accept that key).

Is there documentation available on how to achieve this?

This is delivered via the repomd.xml file.

repodata/repomd.xml: <tags> <content>pool</content> <content>gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284</content> <content>gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82</content> <content>gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4</content> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/i586</repo> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/x86_64</repo> <distro cpeid="cpe:/o:opensuse:opensuse:20220907">openSUSE Tumbleweed</distro> </tags>

and the gpg-pubkey files are put into the / directory, e.g. here:

http://download.opensuse.org/tumbleweed/repo/oss/

And zypper will auto-import those keys.

Ok, so this is created by some custom publishing hook or such and not by plain "configure $FEATURE in the obs config" I guess? -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman

On Fri, Sep 09, 2022 at 01:04:36PM +0200, Stefan Seyfried wrote:

Hi Marcus,

thanks for the hint (and sorry for the double post, I had the old opesuse-buildservice@... adress still in my address book)

On 09.09.22 11:07, Marcus Meissner wrote:

...

On Fri, Sep 09, 2022 at 09:22:52AM +0200, Stefan Seyfried wrote:

...

Hi OBS community,

today when running "zypper ref" on one of my raspberry pies, I saw the following:

------8<-----snip----8<------ Retrieving: repomd.xml ..........................................[done] ...>> Note: Received 1 new package signing key from repository "openSUSE-Tumbleweed-Oss":

...>> The repository metadata introducing the new keys have been signed and

...

validated by the trusted key: ... ------8<-----snip----8<------

I would be *very* interested in doing something like that on my private OBS installation (replacing an old RSA1024 key with a current one without having all installations manually accept that key).

Is there documentation available on how to achieve this?

This is delivered via the repomd.xml file.

repodata/repomd.xml: <tags> <content>pool</content> <content>gpg-pubkey-3dbdc284-53674dd4.asc?fpr=22C07BA534178CD02EFE22AAB88B2FD43DBDC284</content> <content>gpg-pubkey-39db7c82-5f68629b.asc?fpr=FEAB502539D846DB2C0961CA70AF9E8139DB7C82</content> <content>gpg-pubkey-29b700a4-62b07e22.asc?fpr=AD485664E901B867051AB15F35A2F86E29B700A4</content> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/i586</repo> <repo>obsproduct://build.opensuse.org/openSUSE:Factory/openSUSE/20220907/x86_64</repo> <distro cpeid="cpe:/o:opensuse:opensuse:20220907">openSUSE Tumbleweed</distro> </tags>

and the gpg-pubkey files are put into the / directory, e.g. here:

http://download.opensuse.org/tumbleweed/repo/oss/

And zypper will auto-import those keys.

Ok, so this is created by some custom publishing hook or such and not by plain "configure $FEATURE in the obs config" I guess?

I think its a custom hook. Thats for the buildservice people to answer. Ciao, Marcus