[opensuse] non-interactive zypper and package keys
I am trying to run zypper in a non-interactive script. I have an issue with keys for repos I add and then use: New repository or package signing key received: Key ID: CC7F07489591C39B Key Name: Application:Geo OBS Project <Application:Geo@build.opensuse.org> Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B Repository: openSUSE BuildService - Application:Geo Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error. I looked at the man page (the whole thing this time) and do not see (recognize) an option to tell zypper to accept the keys. It just takes the default option, which is to reject them. Is there a way yo have zypper accept them that can be enabled via the command line? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On 11/12/2010 11:06 AM, Roger Oberholtzer wrote:
I am trying to run zypper in a non-interactive script. I have an issue with keys for repos I add and then use:
New repository or package signing key received: Key ID: CC7F07489591C39B Key Name: Application:Geo OBS Project <Application:Geo@build.opensuse.org> Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see (recognize) an option to tell zypper to accept the keys. It just takes the default option, which is to reject them. Is there a way yo have zypper accept them that can be enabled via the command line?
Hi, found this in the man page. --gpg-auto-import-keys If new repository signing key is found, do not ask what to do; trust and import it automatically. This option causes that the new key is imported also in non-interactive mode, where it would otherwise got rejected. But I never used it. greetings Chris -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2010-11-12 at 11:15 +0100, christian schmitt wrote:
On 11/12/2010 11:06 AM, Roger Oberholtzer wrote:
I am trying to run zypper in a non-interactive script. I have an issue with keys for repos I add and then use:
New repository or package signing key received: Key ID: CC7F07489591C39B Key Name: Application:Geo OBS Project <Application:Geo@build.opensuse.org> Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see (recognize) an option to tell zypper to accept the keys. It just takes the default option, which is to reject them. Is there a way yo have zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys If new repository signing key is found, do not ask what to do; trust and import it automatically. This option causes that the new key is imported also in non-interactive mode, where it would otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only see this option: --no-gpg-checks Ignore GPG check failures and continue. If a GPG issue occurs when using this option zypper prints and logs a warning and automatically continues without interrupting the operation. Use this option with caution, as you can easily overlook security problems by using it. Maybe this is useful anyway. The key acceptance will wait for an interactive session. -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, Nov 12, 2010 at 11:39:09AM +0100, Roger Oberholtzer wrote:
On Fri, 2010-11-12 at 11:15 +0100, christian schmitt wrote:
On 11/12/2010 11:06 AM, Roger Oberholtzer wrote:
I am trying to run zypper in a non-interactive script. I have an issue with keys for repos I add and then use:
New repository or package signing key received: Key ID: CC7F07489591C39B Key Name: Application:Geo OBS Project <Application:Geo@build.opensuse.org> Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see (recognize) an option to tell zypper to accept the keys. It just takes the default option, which is to reject them. Is there a way yo have zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys If new repository signing key is found, do not ask what to do; trust and import it automatically. This option causes that the new key is imported also in non-interactive mode, where it would otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only see this option:
--no-gpg-checks Ignore GPG check failures and continue. If a GPG issue occurs when using this option zypper prints and logs a warning and automatically continues without interrupting the operation. Use this option with caution, as you can easily overlook security problems by using it.
Maybe this is useful anyway. The key acceptance will wait for an interactive session.
You should only import the key once and then not use those insecure options. The "import key once" step can be done non-automated. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Fri, 2010-11-12 at 12:05 +0100, Marcus Meissner wrote:
On Fri, Nov 12, 2010 at 11:39:09AM +0100, Roger Oberholtzer wrote:
On Fri, 2010-11-12 at 11:15 +0100, christian schmitt wrote:
On 11/12/2010 11:06 AM, Roger Oberholtzer wrote:
I am trying to run zypper in a non-interactive script. I have an issue with keys for repos I add and then use:
New repository or package signing key received: Key ID: CC7F07489591C39B Key Name: Application:Geo OBS Project <Application:Geo@build.opensuse.org> Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see (recognize) an option to tell zypper to accept the keys. It just takes the default option, which is to reject them. Is there a way yo have zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys If new repository signing key is found, do not ask what to do; trust and import it automatically. This option causes that the new key is imported also in non-interactive mode, where it would otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only see this option:
--no-gpg-checks Ignore GPG check failures and continue. If a GPG issue occurs when using this option zypper prints and logs a warning and automatically continues without interrupting the operation. Use this option with caution, as you can easily overlook security problems by using it.
Maybe this is useful anyway. The key acceptance will wait for an interactive session.
You should only import the key once and then not use those insecure options.
The "import key once" step can be done non-automated.
The --no-gpg-checks seems to have achieved the desired result: I can add a repo and use it in a script. The repos are added permanently. By using --no-gpg-checks instead of --gpg-auto-import-keys in my script, the keys are only accepted in my script. They are not accepted for all time. I guess that is what you meant by "import key once"? -- Roger Oberholtzer OPQ Systems / Ramböll RST Ramböll Sverige AB Krukmakargatan 21 P.O. Box 17009 SE-104 62 Stockholm, Sweden Office: Int +46 10-615 60 20 Mobile: Int +46 70-815 1696 -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Friday, 2010-11-12 at 12:22 +0100, Roger Oberholtzer wrote:
The --no-gpg-checks seems to have achieved the desired result: I can add a repo and use it in a script. The repos are added permanently. By using --no-gpg-checks instead of --gpg-auto-import-keys in my script, the keys are only accepted in my script. They are not accepted for all time. I guess that is what you meant by "import key once"?
I think that --no-gpg-checks does just that, not check the gpg signatures. There is no import of keys, and no checking to see if the package has been altered. - -- Cheers, Carlos E. R. (from 11.2 x86_64 "Emerald" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.12 (GNU/Linux) iEYEARECAAYFAkzdPb4ACgkQtTMYHG2NR9WoewCffG1ZUxDv6CKIC3Ag8eit5KpV DNkAn02U5+G1IOq9z2vwddJWFtRHD04b =CoVw -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (4)
-
Carlos E. R. -
christian schmitt -
Marcus Meissner -
Roger Oberholtzer