[opensuse-buildservice] Signing failed after updating from 2.9 to 2.10
Hello all, I just updated a private OBS from 2.9. to 2.10 (on openSUSE Leap 15.1) according to https://github.com/openSUSE/open-build-service/blob/2.10/dist/README.UPDATER.... With 2.9 everything was working just fine. With 2.10 signing stopped working. The installation seems okay otherwise (e.g. no errors upon DB migration etc.) signd (IIUC) could not find the secret key anymore: box:~ # su -s /bin/bash obsrun -c 'sign -k' gpg: skipped "mybuildkey@myobs": No secret key gpg: signing failed: No secret key I could work around the problem by copying /root/.gnupg to /srv/obs/gnupg box:/srv/obs/gnupg # cp -ai ~/.gnupg/* . But I don't want to maintain/keep the key in 2 locations. Is it safe to simply symlink /srv/obs/gnupg to /root/.gnupg? Or can some (RPM) update delete my private signing key? Or should I set OBS_SIGND_GNUPG_HOME="/root/.gnupg" in /etc/sysconfig/signd? And of course I'm a bit curious why that was not caught by any update script or similar. ;-) Thanks and regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Hey, On 03.06.20 09:25, Till Dörges wrote:
Or should I
Moving the OBS related parts of the gnupg configuration to /srv/obs/gnupg is the solution you are looking for.
And of course I'm a bit curious why that was not caught by any update script or similar. ;-)
Judging from OBS:Server:2.10:Staging/obs-signd this never made it to 2.10. Frank, we are about to release another 2.10 release, how about we include this? Henne -- Henne Vogelsang http://www.opensuse.org Everybody has a plan, until they get hit. - Mike Tyson -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am 03.06.20 um 14:08 schrieb Henne Vogelsang:
Moving the OBS related parts of the gnupg configuration to /srv/obs/gnupg is the solution you are looking for.
Ack. Thanks.
And of course I'm a bit curious why that was not caught by any update script or similar. ;-)
Judging from OBS:Server:2.10:Staging/obs-signd this never made it to 2.10. Frank, we are about to release another 2.10 release, how about we include this?
While you're at it. I stumbled across the first command (cd /srv/www/obs/api/; rake migrate_options_yml) listed here: https://github.com/openSUSE/open-build-service/blob/2.10/dist/README.UPDATER... For it to work I had to include RAILS_ENV="production", otherwise it would complain about something missing related to tests. And in my particular case (starting from Leap 42.3 / OBS 2.9) there also was no rake 12.3 which seemed to be required. So I resorted to updating the RPMs first and then issuing the above command: (cd /srv/www/obs/api/; RAILS_ENV="production" rake migrate_options_yml) Thanks again and regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
Am 03.06.20 um 14:08 schrieb Henne Vogelsang:
Or should I
Moving the OBS related parts of the gnupg configuration to /srv/obs/gnupg is the solution you are looking for.
My local "experiments" also suggest that the link /.gnupg -> /root/.gnupg is not needed anymore (also see https://en.opensuse.org/openSUSE:Build_Service_Signer) Perhaps also worth mentioning in the upgrade instructions? Regards -- Till -- Dipl.-Inform. Till Dörges doerges@pre-sense.de PRESENSE Technologies GmbH Nagelsweg 41, D-20097 HH Geschäftsführer/Managing Directors AG Hamburg, HRB 107844 Till Dörges, Jürgen Sander USt-IdNr.: DE263765024 -- To unsubscribe, e-mail: opensuse-buildservice+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-buildservice+owner@opensuse.org
participants (2)
-
Henne Vogelsang -
Till Dörges