[opensuse-factory] [tumbleweed] kernel build failure
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Greg, to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us. thanks, - -- js suse labs -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJRIRJJAAoJEL0lsQQGtHBJw9IP/0cwyUVO1o2p3ul+LpwX/YHr s6Sji5XmiSMztATk1Gx+25oC7G8hnW76qGHWcwJud4Jmdqvg5zu6W5h0n4XYC0du 6kM706hlX2INSKPKHhQZovcyPiSyNfC9lduNhxo/6kbWKHx/lPc3rPihBDIcedT1 tHq1nN0cFZ1aleNajwVs3u1PR2qqnw7S5WgFNgYaNJeURBv0AjXz9YrKZdzqoi/c DmWECr65lDMIHqk1bI9o7wB7jB8EoGThmmoGQ0lG4aKdeOWlqfqtg+TBDAb0CPqP QA50ezFDYBKw9h6eUZfzqAY9v9Ox4sawLif/M4ZvfhxEUkfDevW1IsP44Boxj3jv VtvjWYr2VhaSIhZU4cmV+Aqp3Bc7Bt1tYTOt9tGzEooDM4ZdF/20wjMMpfpXBXMr w5g4xoanRnu5PWRqEfDNY8RVqrfqwI/i24iO07twtJzCoFjTMqd8r/KplrMENyUX xT2GMjzgtHvHta2XbDHvzmOe0L9ZvSbMGZ3l1H2WaFX3DmKkg57JD8+LZIGUDhyp OdpRLprAo8Ij0q5r6G4tLye1IJt15Msf1kgKm/nSIsz1zw0j+HQ/YaWXNxqVas7b GAFbYcmAQ8JGJ1N344Tkj9S+W6bgbUiYjfpoA31EgyaoUnaLmgqGF3YJojwMc/qq dtQlpJk3jbIECkxp10ON =ha+w -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 17.02.2013 18:24, schrieb Jiri Slaby:
Hi Greg,
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us.
You can make the signing conditional on some prjconf setting - it's really useful only for 12.3 and its update projects Greetings, Stephan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEhFkIACgkQwFSBhlBjoJb1uwCbBgNXNq7IXIMpk+7kvwqNuamT ipgAoM5EzJx89fMlqXRHbTOW2UvDN7Ya =LLPY -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Feb 17, 2013 at 06:41:23PM +0100, Stephan Kulow wrote:
Am 17.02.2013 18:24, schrieb Jiri Slaby:
Hi Greg,
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us.
You can make the signing conditional on some prjconf setting - it's really useful only for 12.3 and its update projects
How would we do that for just the kernel packages? thanks, greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Am 17.02.2013 18:54, schrieb Greg KH:
On Sun, Feb 17, 2013 at 06:41:23PM +0100, Stephan Kulow wrote:
Am 17.02.2013 18:24, schrieb Jiri Slaby:
Hi Greg,
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us.
You can make the signing conditional on some prjconf setting - it's really useful only for 12.3 and its update projects
How would we do that for just the kernel packages?
We have other features we enable and disable through with_ macros in the prjconf. And the kernel spec file needs to disable the buildrequire on pesign-obs-integration in that case. The export of BRP_PESIGN_FILES will then be pointless. Try as experiment in the prjconf Substitute: obs-pesign-integration Greetings, Stephan -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Am 17.02.2013 18:41, schrieb Stephan Kulow:
Am 17.02.2013 18:24, schrieb Jiri Slaby:
Hi Greg,
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us.
You can make the signing conditional on some prjconf setting - it's really useful only for 12.3 and its update projects
To explain a bit more: if your key is not bundled in shim, the signature is rather useless as it can't be verified. So changing the key for something as useless and annoy tons of users doesn't sound like good. Greetings, Stephan -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlEhRwcACgkQwFSBhlBjoJazIACdHytu725IoQxBs4MUI3sbWeDf ZFsAnjm31XqktrDLZeCJplRkdvfi6NBs =4lr0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Feb 17, 2013 at 06:24:26PM +0100, Jiri Slaby wrote:
This will change the key so that everybody has to approve the change in zypper/yast when installing. If anybody else knows a better way without changing the certificate, tell us.
Well, you can't, as the old key was DSA and you need an RSA key to sign the kernels. There's no way to convert from DSA to RSA without creating a new key. M. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sun, Feb 17, 2013 at 06:24:26PM +0100, Jiri Slaby wrote:
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
Just to make this a bit less confusing: You don't create a certificate with that command. The problem is, that the old key is a DSA key, and thus can't be used to create a RSA key certificate. We switched the default from DSA to RSA in the build service, so that's why creating a new key will fix the build. Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Feb 18, 2013 at 11:24:57AM +0100, Michael Schroeder wrote:
On Sun, Feb 17, 2013 at 06:24:26PM +0100, Jiri Slaby wrote:
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
Just to make this a bit less confusing: You don't create a certificate with that command. The problem is, that the old key is a DSA key, and thus can't be used to create a RSA key certificate. We switched the default from DSA to RSA in the build service, so that's why creating a new key will fix the build.
Ok, I've now done this, and this seems to be the key that was created, is there any way to verify it is correct: Key ID: 03FCF140B367F5CD Key Name: openSUSE:Tumbleweed OBS Project <openSUSE:Tumbleweed@build.opensuse.org> Key Fingerprint: 56FE3F66EE9AD664DD8978DF03FCF140B367F5CD Key Created: Mon 18 Feb 2013 09:09:00 AM PST Key Expires: Wed 29 Apr 2015 10:09:00 AM PDT thanks, greg k-h -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Mon, Feb 18, 2013 at 04:22:20PM -0800, Greg Kroah-Hartman wrote:
On Mon, Feb 18, 2013 at 11:24:57AM +0100, Michael Schroeder wrote:
On Sun, Feb 17, 2013 at 06:24:26PM +0100, Jiri Slaby wrote:
to solve $SUBJ, we need a certificate to sign a kernel with now. It can be created by: osc signkey --create openSUSE:Tumbleweed
Just to make this a bit less confusing: You don't create a certificate with that command. The problem is, that the old key is a DSA key, and thus can't be used to create a RSA key certificate. We switched the default from DSA to RSA in the build service, so that's why creating a new key will fix the build.
Ok, I've now done this, and this seems to be the key that was created, is there any way to verify it is correct:
Key ID: 03FCF140B367F5CD Key Name: openSUSE:Tumbleweed OBS Project <openSUSE:Tumbleweed@build.opensuse.org> Key Fingerprint: 56FE3F66EE9AD664DD8978DF03FCF140B367F5CD Key Created: Mon 18 Feb 2013 09:09:00 AM PST Key Expires: Wed 29 Apr 2015 10:09:00 AM PDT
$ osc signkey openSUSE:Tumbleweed | gpg --list-packets :public key packet: version 4, algo 1, created 1361207340, expires 0 pkey[0]: [2048 bits] pkey[1]: [17 bits] keyid: 03FCF140B367F5CD RSA's pkeys have two entries, DSA's pkeys have four. So yes, it's an RSA pubkey. (algo 1 is RSA, algo 17 is DSA.) Cheers, Michael. -- Michael Schroeder mls@suse.de SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);} -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Greg KH -
Greg Kroah-Hartman
-
Jiri Slaby -
Michael Schroeder -
Stephan Kulow