Thanks for the response, Adrian. I'm afraid I'm not quite over the
line with this problem and hoping you can clear up the remaining
issues I have.
Using the information at this link
], I have
examined the following files on our OBS host and included what I
believe to be the relevant lines below:
### /usr/lib/obs/server/BSConfig.pm ###
#No package signing server
our $sign = "/usr/bin/sign";
#Extend sign call with project name as argument "--project $NAME"
#our $sign_project = 1;
#Global sign key
our $keyfile = "/obs/obs-default-gpg.asc";
#Create a key by default for new projects, if top level have not one
our $forceprojectkeys = 1;
### /etc/sign.conf ###
Based on the configuration in /etc/sign.conf, I located the GPG key
with the matching e-mail (defaultkey@localobs) and attempted to
decrypt the desired project signing key:
$ gpg --homedir /obs/gnupg --decrypt _signkey
gpg: no valid OpenPGP data found.
gpg: decrypt_message failed: Unknown system error
My experience with GPG is limited, but the error to me suggests that
the file is not of the format expected. As mentioned in my last post,
the content of the _signkey is simply a long string of hexadecimal
$ file _signkey
_signkey: ASCII text, with very long lines
Whereas the output of a test file encrypted with the above GPG key
produces the following file output:
$ file test.gpg
To compound the problem, despite the clues in the configuration files,
I'm not sure that the key I have located is in fact the master key.
The content of the public key '/obs/obs-default-gpg.asc' ($keyfile
listed in /usr/lib/obs/serverBSConfig.pm) differs from the public key
exported from what I believe should be the master signing key (user:
defaultkey@localobs listed in /etc/sign.conf):
gpg --homedir /obs/gnupg --export --armor defaultkey@localobs
Apologies if I am missing something obvious. Any further help would be
On Fri, Jan 30, 2015 at 8:56 AM, Adrian Schröter <adrian(a)suse.de> wrote:
On Freitag, 30. Januar 2015, 08:41:57 wrote Nick
Hi, hoping somebody on the list can help me with
a problem I'm trying to solve.
I am currently using OBS to build RPMs for a variety of architectures
I need to support. However, I also have some RPMs that are built by
Jenkins. Ideally, I would like to be able to have the packages built
by Jenkins signed using the private GPG key in use under OBS and
collect them under a single YUM repo. I have found what I believe to
be the signing (private GPG) key on OBS:
However, it is not in the format I expected (i.e. with a '-----BEGIN
PGP PRIVATE KEY BLOCK-----' header followed by a chunk of base64; it
is simply a long string of hexadecimal chars. So, this has left me
with two questions:
1. Is this indeed the OBS key used to sign my RPMs under this project?
yes, but it is encrypted itself with the OBS master key. (allows to
keep the master key on a special protected system, but you can still
backup the backend server with the keys).
2. If so, how can I export this _signkey to a GPG
format I can use
with rpm --addsign?
decrypt it with your instance master key
SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Jennifer Guild, Dilip Upmanyu,
Graham Norton, HRB 21284 (AG Nürnberg)
To unsubscribe, e-mail: opensuse-buildservice+unsubscribe(a)opensuse.org
To contact the owner, e-mail: opensuse-buildservice+owner(a)opensuse.org