Occasional bad RPM signature on my OBS
Hi, I've noticed this problem on my OBS instance for a while. I have set my OBS signer up followed this guide[1], and setup the project certificate from an existing SSL certificate followed the help text of obs_admin. Now I noticed that every time when I do a full rebuild of my project (with ~2500 packages), I end up with some rpm files (<30 usually) have bad keys. Bad key means when I verify them with `rpm -Kv` I can see BAD Key from the output. But after I rebuild these packages, they are no longer bad. And every time I do the full project rebuild, the packages that have bad keys are always different. It seems this problem happens randomly on different rpm files. I tried recreating the signer gpg key and the project certificate a few times, but didn't solve the problem. My OBS is v2.10.15 runs on openSUSE Leap 15.3 latest patch level, if this matters. Could someone help me figure out where I could possibly wrong? Thanks a lot! [1]: https://en.opensuse.org/openSUSE:Build_Service_Signer Regards, Kai
By searching for failed package names in /srv/obs/log/signer.log, I noticed such errors: signing x86_64/$project::$repo::$package gpg: decryption failed: No secret key sign failed: 256 - checking digest for failed packages. However, other packages in this same project were built without problem. I have no clue why this happened randomly to some packages. I also did some test and noticed that if the project doesn't have its own project key, or the project key is created by `osc signkey --create` command, then there is no such problem. This problem only occurs with projects that have keys converted from existing SSL cert and imported by obs_admin command. Any idea where could I possibly did wrong? Thanks, Kai On 2022/06/04 Sat 16:52, Kai Liu wrote:
Hi,
I've noticed this problem on my OBS instance for a while. I have set my OBS signer up followed this guide[1], and setup the project certificate from an existing SSL certificate followed the help text of obs_admin.
Now I noticed that every time when I do a full rebuild of my project (with ~2500 packages), I end up with some rpm files (<30 usually) have bad keys. Bad key means when I verify them with `rpm -Kv` I can see BAD Key from the output.
But after I rebuild these packages, they are no longer bad. And every time I do the full project rebuild, the packages that have bad keys are always different. It seems this problem happens randomly on different rpm files.
I tried recreating the signer gpg key and the project certificate a few times, but didn't solve the problem.
My OBS is v2.10.15 runs on openSUSE Leap 15.3 latest patch level, if this matters.
Could someone help me figure out where I could possibly wrong? Thanks a lot!
[1]: https://en.opensuse.org/openSUSE:Build_Service_Signer
Regards, Kai
participants (1)
-
Kai Liu