[opensuse-factory] Usage of gpg_verify in .spec files
Hi geeko packagers, Please note that we are receiving a new version of gpg (2.1.0) in Factory probably rather soon... One thing to note is that the current version of %gpg_verify passes --gpg2 to the command, which is no longer understood. There are obviously two ways to fix it: - Fix %gpg_verify to no longer pass --gpg; surely simple, but I don't prefer the solution - Remove the gpg_verify commands from the .spec files; In fact, usage of gpg_verify has been deprecated in favor of the obs service source_validator (which runs at each osc ci call or you can call it using osc service lr source_validator). As we already have implicit verification of the signatures there, it is of no use to verify the signature during build again. Which is also the reason why option one is not that appealing. Can I please ask the package maintainers to work with us and eliminate this wherever it is still used in Factory? Thanks a lot! -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, I am not entirely happy with removing it from the build. But I have to agree that it makes some sense with the source validator enforcing it these days. FWIW, I am fixing gpg-offline, which you did not bother to do. Ciao, Marcus On Sat, Nov 15, 2014 at 03:25:17PM +0100, Dimstar / Dominique Leuenberger wrote:
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus, On Sat, 2014-11-15 at 15:38 +0100, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
What advantage do you see compared to the test happening once when you check it in? (or when submitted to Factory, the test runs again). The sig won't become invalid on any subsequent checks without changes.
But I have to agree that it makes some sense with the source validator enforcing it these days.
Right - that's the idea here
FWIW, I am fixing gpg-offline, which you did not bother to do.
sure, fixing it was option 1, which i listed. The few fixes I submitted are for ring packages; there is likely more breaking in Factory. if gpg_verify is now fixed already, we'll just hide them all (of course the fix is still a good thing - I would just not do it in a rush - fixes coming from you are of course not excluded from being accepted) Cheers, Domoinique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, Nov 15, 2014 at 03:48:57PM +0100, Dimstar / Dominique Leuenberger wrote:
The chance that the tarball is later modified (and the signature checking would not be changed) is small.
Avoiding failing builds is priority 1. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-15 15:38, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
I hope that the gpg signature is still included with the published rpm, and that you are not talking of removing it. And if included, it should be verified at least one time before publishing, to ensure that it is correct. Ie, gpg not validated -> stop publishing. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRnbcAACgkQtTMYHG2NR9V5eQCePx/NWXzx6uD9sOsAMrif3nL9 //EAn3BLmL724/A3ZC4nFzwBzhaHK7PJ =Yds7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On November 15, 2014 10:14:12 AM EST, "Carlos E. R." <carlos.e.r@opensuse.org> wrote:
Carlos, The question relates to the gpg signature of the tarball used to create the rpm, not the rpm's signature. The mechanism adopted Feb 2013 is that if the Source: field of a specfile has the fully defined URL in it, then a redundant copy of the fastball is pulled directly from the source URL at key times and the signature of the tarball is compared to the signature of the tarball uploaded to OBS by the packager. It prevents the intentional or unintentional inclusion of modifications in a tarball. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-15 17:09, Greg Freemyer wrote:
On November 15, 2014 10:14:12 AM EST, "Carlos E. R." <> wrote:
Ah, I see, thanks.
Quite reasonable. Then I have no opinion to offer :-) If I may so, though, redundant security checking is (normally) a good thing (TM). - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRoznMACgkQtTMYHG2NR9UZhQCbBpJV0xjgqpS7bobTIt4iMVW/ cnMAnREcFrec03sQE6NrIG8+U0NZw4vz =0xqk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2014-11-15 at 16:14 +0100, Carlos E. R. wrote:
Carlos, There are multiple signatures, so I'm not sure which one you refer to: - Every RPM is being signed after build and when being published. No change here - Some source rpms contain a .keyring and are performing gpg verification upon build (using gpg_verify). - The same packages with a ,keyring are also verified by the OBS Source Validator, when you check it in and again when the package is submitted to Factory. The only thing we're advocating to remove is the middle one, where each 'build' is verifying the source signatures; again: AFTER build, the resulting binary rpms are being signed for publishing. Some statistics: # of source packages in Factory : 7658 # of packages in factory with a .keyring file : ~200 # of packages executing gpg_verify during build : ~100 So it's not that this would be an incredibly big impact :) Cheers, Dominique -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 15 Nov 2014 15:25, Dimstar / Dominique Leuenberger wrote:
Hi Dominique, please include the information since which version (%suse_version) source_validator is valid to use in spec-file [sample-code] if %suse_version > [last_non_source_validator_version] use_of_source_validator else use_of_gpg_verify fi [/sample-code] Thanks - Yamaban. -- "Sane? What is that? Can you eat it?" -- a student after a night of coding for a semester-project. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, 2014-11-15 at 15:38 +0100, Yamaban wrote:
AS the source validator is not in the .spec file, it doesn't really matter; if you have a recent version of it on your system, it will happen when you do 'osc ci' According to the changelog of obs-service-source_validator, this feature was added in January 2013; so not entirely a new thing. And package you forward to Factory will be tested by factory-auto, which does have a recent enough version of osc and would do the test in any case. Cheers, Dominique -- Dimstar / Dominique Leuenberger <dimstar@opensuse.org> -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Hi, I am not entirely happy with removing it from the build. But I have to agree that it makes some sense with the source validator enforcing it these days. FWIW, I am fixing gpg-offline, which you did not bother to do. Ciao, Marcus On Sat, Nov 15, 2014 at 03:25:17PM +0100, Dimstar / Dominique Leuenberger wrote:
-- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Marcus, On Sat, 2014-11-15 at 15:38 +0100, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
What advantage do you see compared to the test happening once when you check it in? (or when submitted to Factory, the test runs again). The sig won't become invalid on any subsequent checks without changes.
But I have to agree that it makes some sense with the source validator enforcing it these days.
Right - that's the idea here
FWIW, I am fixing gpg-offline, which you did not bother to do.
sure, fixing it was option 1, which i listed. The few fixes I submitted are for ring packages; there is likely more breaking in Factory. if gpg_verify is now fixed already, we'll just hide them all (of course the fix is still a good thing - I would just not do it in a rush - fixes coming from you are of course not excluded from being accepted) Cheers, Domoinique -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Sat, Nov 15, 2014 at 03:48:57PM +0100, Dimstar / Dominique Leuenberger wrote:
The chance that the tarball is later modified (and the signature checking would not be changed) is small.
Avoiding failing builds is priority 1. Ciao, Marcus -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-15 15:38, Marcus Meissner wrote:
Hi,
I am not entirely happy with removing it from the build.
I hope that the gpg signature is still included with the published rpm, and that you are not talking of removing it. And if included, it should be verified at least one time before publishing, to ensure that it is correct. Ie, gpg not validated -> stop publishing. - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRnbcAACgkQtTMYHG2NR9V5eQCePx/NWXzx6uD9sOsAMrif3nL9 //EAn3BLmL724/A3ZC4nFzwBzhaHK7PJ =Yds7 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On November 15, 2014 10:14:12 AM EST, "Carlos E. R." <carlos.e.r@opensuse.org> wrote:
Carlos, The question relates to the gpg signature of the tarball used to create the rpm, not the rpm's signature. The mechanism adopted Feb 2013 is that if the Source: field of a specfile has the fully defined URL in it, then a redundant copy of the fastball is pulled directly from the source URL at key times and the signature of the tarball is compared to the signature of the tarball uploaded to OBS by the packager. It prevents the intentional or unintentional inclusion of modifications in a tarball. Greg -- Sent from my Android phone with K-9 Mail. Please excuse my brevity. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 2014-11-15 17:09, Greg Freemyer wrote:
On November 15, 2014 10:14:12 AM EST, "Carlos E. R." <> wrote:
Ah, I see, thanks.
Quite reasonable. Then I have no opinion to offer :-) If I may so, though, redundant security checking is (normally) a good thing (TM). - -- Cheers / Saludos, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlRoznMACgkQtTMYHG2NR9UZhQCbBpJV0xjgqpS7bobTIt4iMVW/ cnMAnREcFrec03sQE6NrIG8+U0NZw4vz =0xqk -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (5)
-
Carlos E. R. -
Dimstar / Dominique Leuenberger -
Greg Freemyer -
Marcus Meissner -
Yamaban