Re: Heads up: Transition to RSA 4096 signing key for Tumbleweed

On Wed, Jan 18, 2023 at 07:03:24PM +0100, cagsm wrote:

List,

On Wed, Jan 18, 2023 at 2:35 PM Marcus Meissner wrote:

...

We will switch the openSUSE Tumbleweed signing key that signs the repositories and RPMs from 2048bit RSA key to a 4096bit RSA key early next week. rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc

brand new 15.4 system some months old but apparently the system sees this key or package, and appropriate file

---------------- rpm -ql openSUSE-build-key /usr/lib/rpm/gnupg /usr/lib/rpm/gnupg/dumpsigs /usr/lib/rpm/gnupg/keys /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-307e3d54-5aaa90a5.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-39db7c82-5847eb1f.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-3dbdc284-53674dd4.asc /usr/lib/rpm/gnupg/keys/gpg-pubkey-65176565-61a0ee8f.asc /usr/share/container-keys /usr/share/container-keys/opensuse-container-key.asc /usr/share/doc/packages/openSUSE-build-key /usr/share/doc/packages/openSUSE-build-key/security_at_suse_de.asc -----------------------

but rpm doesnt trust or show or use this key?

...

and should be in trusted RPM keyring already: rpm -qi gpg-pubkey-29b700a4-62b07e22 ... will show it ... Tracker bug: https://bugzilla.suse.com/show_bug.cgi?id=1199184

--------- rpm -qi gpg-pubkey-29b700a4-62b07e22 package gpg-pubkey-29b700a4-62b07e22 is not installed ---------

what did this system miss? bug? how does rpm gets fed with the proper stuff? ty.

The key was not auto imported into Leap 15.4 RPM database yet. Currently the first product to transition is openSUSE Tumbleweed, Leap I have not yet scheduled. You can already do rpm --import /usr/lib/rpm/gnupg/keys/gpg-pubkey-29b700a4-62b07e22.asc As I also plan to migrate Leap at some point. Ciao, Marcus