[opensuse-buildservice] Where can I find the keys for a project?
Hi, my name is Andreas Vetter. I'm administrating SUSE Linux systems for more than 10 years now - at that time there were still the dots in S.u.S.E. ;-). I'm not a programmer, but have the need to package 3rd party software or dropped packages from time to time. I have a (sub-)project home:asvetter:Shibboleth2:ServiceProvider with several packages. When I try to build a package that depends on another package from that project, I get the following: The following package could not be verified: /var/tmp/osbuild-packagecache/home:asvetter:Shibboleth2:ServiceProvider/openSUSE_11.1/x86_64/liblog4shib-devel-1.0.1-17.1.x86_64.rpm: (SHA1) DSA sha1 md5 (GPG) NOT OK (MISSING KEYS: GPG#678f1fc6) - If the key is missing, install it first. For example, do the following: gpg --keyserver pgp.mit.edu --recv-keys 678f1fc6 gpg --armor --export 678f1fc6 > /home/vetter/keyfile-678f1fc6 and, as root: rpm --import /home/vetter/keyfile-678f1fc6 Then, just start the build again. - If the key is unavailable, you may use --no-verify (which may pose a risk). vetter:~/home:asvetter:Shibboleth2:ServiceProvider/xmltooling> gpg --keyserver pgp.mit.edu --recv-keys 678f1fc6 gpg: requesting key 678F1FC6 from hkp server pgp.mit.edu gpgkeys: key 678F1FC6 not found on keyserver gpg: no valid OpenPGP data found. gpg: Total number processed: 0 My questions: 1. Is the 678f1fc6 created by OBS? 2. Is it my responsibility to create a key for my OBS account? How? 3. Is it my responsibility to publish the key? 4. Is it just the wrong key server? TIA, Andreas -- Mit freundlichen Gruessen, Andreas Vetter Informations- und Kommunikationstechnik Fakultaet fuer Physik und Astronomie Universitaet Wuerzburg -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2009-03-17 14:45:13 +0100, Andreas Vetter wrote: <SNIP>
My questions: 1. Is the 678f1fc6 created by OBS? 2. Is it my responsibility to create a key for my OBS account? How?
The key is automatically generated by the obs (one key for each project).
3. Is it my responsibility to publish the key?
It's up to you (or anyone else) to publish this key but unless someone explicitly uploads it, it won't be added to the keyserver.
4. Is it just the wrong key server?
Btw the key can be found here http://download.opensuse.org/repositories/home:/asvetter:/Shibboleth2:/Servi... Marcus -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On Tue, 17 Mar 2009, Marcus Hüwe wrote:
On 2009-03-17 14:45:13 +0100, Andreas Vetter wrote:
<SNIP>
My questions: 1. Is the 678f1fc6 created by OBS? 2. Is it my responsibility to create a key for my OBS account? How?
The key is automatically generated by the obs (one key for each project).
3. Is it my responsibility to publish the key?
It's up to you (or anyone else) to publish this key but unless someone explicitly uploads it, it won't be added to the keyserver.
4. Is it just the wrong key server?
Btw the key can be found here http://download.opensuse.org/repositories/home:/asvetter:/Shibboleth2:/Servi...
Thank you. Should the message be changed? It includes a reference to pgp.mit.edu: - If the key is missing, install it first. For example, do the following: gpg --keyserver pgp.mit.edu --recv-keys 678f1fc6 gpg --armor --export 678f1fc6 > /home/vetter/keyfile-678f1fc6 and, as root: rpm --import /home/vetter/keyfile-678f1fc6 -- Mit freundlichen Gruessen, Andreas Vetter Informations- und Kommunikationstechnik Fakultaet fuer Physik und Astronomie Universitaet Wuerzburg
Andreas Vetter escribió:
My questions: 1. Is the 678f1fc6 created by OBS?
yes.
2. Is it my responsibility to create a key for my OBS account? How?
No.
3. Is it my responsibility to publish the key?
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented.
4. Is it just the wrong key server?
No, atm you have to upload the key manually.. check out <repo>/repodata/repomd.xml.key -- "If this is the best God can do, I am not impressed" -George Carlin (1937-2008) Cristian Rodríguez R. Software Developer Platform/OpenSUSE - Core Services SUSE LINUX Products GmbH Research & Development http://www.opensuse.org/
Am Dienstag, 17. März 2009 23:27:15 schrieb Cristian Rodríguez:
Andreas Vetter escribió: ...
3. Is it my responsibility to publish the key?
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented.
By intention, because I think it would be bad to flood the key servers, no ?
4. Is it just the wrong key server?
No, atm you have to upload the key manually.. check out <repo>/repodata/repomd.xml.key
Or just tell zypper/YaST to accept the key. -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 2009-03-18T07:33:28, Adrian Schröter <adrian@suse.de> wrote:
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented. By intention, because I think it would be bad to flood the key servers, no ?
Since the key is autogenerated anyway and apparently "untrusted" and unencrypted, is there any specific reason why each project has its own key, instead of just one per buildservice instance? (ie, one for build.opensuse.org) Regards, Lars -- Teamlead Kernel, SuSE Labs, Research and Development SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nürnberg) "Experience is the name everyone gives to their mistakes." -- Oscar Wilde -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Donnerstag, 19. März 2009 00:16:21 schrieb Lars Marowsky-Bree:
On 2009-03-18T07:33:28, Adrian Schröter <adrian@suse.de> wrote:
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented.
By intention, because I think it would be bad to flood the key servers, no ?
Since the key is autogenerated anyway and apparently "untrusted" and unencrypted, is there any specific reason why each project has its own key, instead of just one per buildservice instance?
Because each projcet has different people with write access. You do not trust necesserally the KDE:* or even all home:* people when you have accepted the trust of the Kernel: people. But all the different keys should be signed by a global build service key. But that just tells you that it comes from our build.o.o instance. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
On 07:33 Wed 18 Mar 2009, Adrian Schröter wrote:
Am Dienstag, 17. März 2009 23:27:15 schrieb Cristian Rodríguez:
Andreas Vetter escribió: ...
3. Is it my responsibility to publish the key?
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented.
By intention, because I think it would be bad to flood the key servers, no ?
Can a keyserver be offered by opensuse so that users can easily add these keys to their keychain via gpg? Having our own keyserver would keep us from flooding other key servers and give users a consistent way of adding keys without assembling long URLs. Cheers, Brandon -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
Am Dienstag, 21. April 2009 19:40:21 schrieb Brandon Philips:
On 07:33 Wed 18 Mar 2009, Adrian Schröter wrote:
Am Dienstag, 17. März 2009 23:27:15 schrieb Cristian Rodríguez:
Andreas Vetter escribió:
...
3. Is it my responsibility to publish the key?
IMHO, not really, the key should be uploaded to a public keyserver by the OBS.. unfortunately that seems not currently implemented.
By intention, because I think it would be bad to flood the key servers, no ?
Can a keyserver be offered by opensuse so that users can easily add these keys to their keychain via gpg?
Having our own keyserver would keep us from flooding other key servers and give users a consistent way of adding keys without assembling long URLs.
The key is already part of the repos. When you download them from download.opensuse.org and assume there is no kind of spoofing in between you get the right key. We do not want to maintain an own key server just for this. Btw, zypper/yast offers you to import the keys from the repos, if unknown. Dunno about other package managers. bye adrian -- Adrian Schroeter SUSE Linux Products GmbH email: adrian@suse.de -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org For additional commands, e-mail: opensuse-buildservice+help@opensuse.org
participants (6)
-
Adrian Schröter -
Andreas Vetter -
Brandon Philips -
Cristian Rodríguez -
Lars Marowsky-Bree -
Marcus Hüwe