[opensuse] Why does local repo key ID change on createrepo update each time?
List, Jan, My local rpm repository I set up on my lan works fine, but I have an annoying problem I haven't figured out how to solve. Each time I add packages to the repo from a machine and run createrepo --update, the key id changes causing all subsequent zypp ref to fail with due to the question about the changed key: Do you want to trust key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62 [yes/NO]: yes Import key 97CFBC4D7F0D9F62 to trusted keyring? [yes/NO]: yes Signature verification failed for repomd.xml with public key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62. Warning: This might be caused by a malicious change in the file! Continuing is risky! Continue anyway? [yes/NO]: yes How do I handle this situation? I just want to be able to add files to the repository without it causing subsequent refreshes to bomb asking for confirmation. Is this doable? -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
On Tue, Apr 14, 2009 at 12:03:10AM -0500, David C. Rankin wrote:
List, Jan,
My local rpm repository I set up on my lan works fine, but I have an annoying problem I haven't figured out how to solve. Each time I add packages to the repo from a machine and run createrepo --update, the key id changes causing all subsequent zypp ref to fail with due to the question about the changed key:
Do you want to trust key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62 [yes/NO]: yes Import key 97CFBC4D7F0D9F62 to trusted keyring? [yes/NO]: yes Signature verification failed for repomd.xml with public key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62. Warning: This might be caused by a malicious change in the file! Continuing is risky! Continue anyway? [yes/NO]: yes
How do I handle this situation? I just want to be able to add files to the repository without it causing subsequent refreshes to bomb asking for confirmation. Is this doable?
Is createrepo resigning the repository (check if repomd.xml.asc changes), if not, you need to do it afterwards. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
Marcus Meissner wrote:
On Tue, Apr 14, 2009 at 12:03:10AM -0500, David C. Rankin wrote:
List, Jan,
My local rpm repository I set up on my lan works fine, but I have an annoying problem I haven't figured out how to solve. Each time I add packages to the repo from a machine and run createrepo --update, the key id changes causing all subsequent zypp ref to fail with due to the question about the changed key:
Do you want to trust key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62 [yes/NO]: yes Import key 97CFBC4D7F0D9F62 to trusted keyring? [yes/NO]: yes Signature verification failed for repomd.xml with public key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62. Warning: This might be caused by a malicious change in the file! Continuing is risky! Continue anyway? [yes/NO]: yes
How do I handle this situation? I just want to be able to add files to the repository without it causing subsequent refreshes to bomb asking for confirmation. Is this doable?
Is createrepo resigning the repository (check if repomd.xml.asc changes), if not, you need to do it afterwards.
Ciao, Marcus
Ah Hah! (lightbulb blinks on) Thanks Marcus! That is the missing piece of the puzzle I had not yet been able to put into place -- even though it staring me in the face. Poet and didn't know it.... Thanks. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
David C. Rankin wrote:
Marcus Meissner wrote:
On Tue, Apr 14, 2009 at 12:03:10AM -0500, David C. Rankin wrote:
List, Jan,
My local rpm repository I set up on my lan works fine, but I have an annoying problem I haven't figured out how to solve. Each time I add packages to the repo from a machine and run createrepo --update, the key id changes causing all subsequent zypp ref to fail with due to the question about the changed key:
Do you want to trust key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62 [yes/NO]: yes Import key 97CFBC4D7F0D9F62 to trusted keyring? [yes/NO]: yes Signature verification failed for repomd.xml with public key id 97CFBC4D7F0D9F62, David Rankin (3111updt Repo Key) <david@3111skyline.com>, fingerprint 76BFC332A210A2399A5D452897CFBC4D7F0D9F62. Warning: This might be caused by a malicious change in the file! Continuing is risky! Continue anyway? [yes/NO]: yes
How do I handle this situation? I just want to be able to add files to the repository without it causing subsequent refreshes to bomb asking for confirmation. Is this doable? Is createrepo resigning the repository (check if repomd.xml.asc changes), if not, you need to do it afterwards.
Ciao, Marcus
Ah Hah! (lightbulb blinks on)
Thanks Marcus! That is the missing piece of the puzzle I had not yet been able to put into place -- even though it staring me in the face. Poet and didn't know it.... Thanks.
Just a follow up note: The issue was resolved as Marcus had mentioned, you need to resign your local repository after you add more rpms and issues the createrepo --update call. A few additional lines in the server-side script took care of that without any problem. For those interested, the additions to make it work were: ## Sign the Repository echo -e "\n\tSigning the repository after update...\n" MY_KEY=$( gpg --list-secret-keys | grep "^sec"|\ sed -e 's/.*\///;s/ .*//g;' | head -n 1 ) gpg -a --detach-sign --yes --batch --passphrase \ $( < ~/.dcr/repokey) ${REPOLOC}/${OSDIR}/repodata/repomd.xml gpg -a --export $MY_KEY > ${REPOLOC}/${OSDIR}/repodata/repomd.xml.key The ~/.dcr/repokey file just contains my credentials for the gpg key and to automate it for a script, you *must* use the --batch and then --passphrase options, otherwise the --passphrase option is ignored. -- David C. Rankin, J.D.,P.E. Rankin Law Firm, PLLC 510 Ochiltree Street Nacogdoches, Texas 75961 Telephone: (936) 715-9333 Facsimile: (936) 715-9339 www.rankinlawfirm.com -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org For additional commands, e-mail: opensuse+help@opensuse.org
participants (2)
-
David C. Rankin -
Marcus Meissner