[opensuse] gpg Key servers Yast uses?
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it. This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Wednesday, 2014-08-06 at 14:45 -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use.
I suppose those of "root". But I don't think YaST import keys that way.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
New keys take some time to propagate. - -- Cheers, Carlos E. R. (from 13.1 x86_64 "Bottle" at Telcontar) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPnXQYACgkQtTMYHG2NR9UPbQCdE8gXYSvcS4MxF4VeBifTQAu4 lvwAoIzwFcfco/WiLR8m4nJV4WKLbdh8 =wDeA -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, Aug 06, 2014 at 02:45:27PM -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
For software repositories, yast does not use the key servers. It tries to import the repodata/repomd.xml.key file for YUM repos. tox.repo has: [Tox] name=Tox baseurl=https://repo.tox.im/rpm/ gpgcheck=1 gpgkey=https://repo.tox.im/toxbuild.pgp It seems we do not import it from that gpgkey line yet... So: wget https://repo.tox.im/toxbuild.pgp rpm --import toxbuild.pgp Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/11/2014 11:56 PM, Marcus Meissner wrote:
On Wed, Aug 06, 2014 at 02:45:27PM -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
For software repositories, yast does not use the key servers.
It tries to import the repodata/repomd.xml.key file for YUM repos.
tox.repo has: [Tox] name=Tox baseurl=https://repo.tox.im/rpm/ gpgcheck=1 gpgkey=https://repo.tox.im/toxbuild.pgp
It seems we do not import it from that gpgkey line yet...
So: wget https://repo.tox.im/toxbuild.pgp rpm --import toxbuild.pgp
Ciao, Marcus
Sending direct and to list due to attachment..... Thanks, I discovered that, and had already done exactly as you suggested. But (perhaps because its a gpg key) there is another odd bug and I haven't the slightest Idea of who the report this to. After you import the Tox key, and you tell it the key is good, and you install the Tox client, everything is fine until they (tox.im) update this repository. Then PackageKit report there is a trust problem (every 20 minutes), "A security trust relationship is not present, Signature verification of Repository Tox.im failed." and sometimes just "signature verification failed". (2 different notifications). So some part of Packetekit or yast or zypp tool chain seems to attempt to verify signatures, and FAILS every time. As soon as you go into Yast you see the attached message. (image). So you once again tell it the signature is good, and update the tox client, and everything is OK, no more messages either from PackegeKit or Yast. Until they put another nightly out there, and then the warnings return. So something in handling of gpg keys (or at least their key) is confusing a simple package update (maybe a hash difference) with a failure of the key, or it triggers a fresh attempt to fetch the key, which fails as above. You update again, and no more warnings till the next nightly. When I manually tried to import their public signing key into Kgpg, it could not be verified with the pool keyservers, and I used a specific EU server. (zimmermann.mayfirst.org) and that verified the key in Kgpg. So, my line of reasoning was, If Kgpg can't find their key using pool servers, maybe that was the problem for PackageKit and yast, Hence my question as to what keyservers yast/zypp might use to verify keys. Note: I filed a bug report on Kleopatra because it wouldn't import ANY 4096byte keys, but is happy to work with those keys after you use Kgpg to import them). -- _____________________________________ ---This space for rent---
On Tue, Aug 12, 2014 at 02:26:19PM -0700, John Andersen wrote:
On 8/11/2014 11:56 PM, Marcus Meissner wrote:
On Wed, Aug 06, 2014 at 02:45:27PM -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
For software repositories, yast does not use the key servers.
It tries to import the repodata/repomd.xml.key file for YUM repos.
tox.repo has: [Tox] name=Tox baseurl=https://repo.tox.im/rpm/ gpgcheck=1 gpgkey=https://repo.tox.im/toxbuild.pgp
It seems we do not import it from that gpgkey line yet...
So: wget https://repo.tox.im/toxbuild.pgp rpm --import toxbuild.pgp
Ciao, Marcus
Sending direct and to list due to attachment.....
Thanks,
I discovered that, and had already done exactly as you suggested.
But (perhaps because its a gpg key) there is another odd bug and I haven't the slightest Idea of who the report this to.
After you import the Tox key, and you tell it the key is good, and you install the Tox client, everything is fine until they (tox.im) update this repository.
Then PackageKit report there is a trust problem (every 20 minutes), "A security trust relationship is not present, Signature verification of Repository Tox.im failed."
and sometimes just "signature verification failed". (2 different notifications).
So some part of Packetekit or yast or zypp tool chain seems to attempt to verify signatures, and FAILS every time.
As soon as you go into Yast you see the attached message. (image).
So you once again tell it the signature is good, and update the tox client, and everything is OK, no more messages either from PackegeKit or Yast.
Until they put another nightly out there, and then the warnings return.
So something in handling of gpg keys (or at least their key) is confusing a simple package update (maybe a hash difference) with a failure of the key, or it triggers a fresh attempt to fetch the key, which fails as above.
You update again, and no more warnings till the next nightly.
This seems to be a race condition... signature repomd.xml.asc is probably updated way later than repomd.xml (manually perhaps). So the behaviour is correct on our side, it is likely a problem on tox.im side. Ciao, Marcus -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 8/13/2014 7:28 AM, Marcus Meissner wrote:
This seems to be a race condition... signature repomd.xml.asc is probably updated way later than repomd.xml (manually perhaps).
So the behaviour is correct on our side, it is likely a problem on tox.im side.
Yes, I've noticed this. The key isn't changed but the date-stamp is touched each time they post a nightly. That seems to be what the Opensuse tool chain is sensitive to. They guy who wrote the packaging tool they use disavows any knowledge. Very difficult to get a hold of the actual person involved at tox.im. -- _____________________________________ ---This space for rent--- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 12/08/14 07:56, Marcus Meissner wrote:
On Wed, Aug 06, 2014 at 02:45:27PM -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
For software repositories, yast does not use the key servers.
It tries to import the repodata/repomd.xml.key file for YUM repos.
tox.repo has: [Tox] name=Tox baseurl=https://repo.tox.im/rpm/ gpgcheck=1 gpgkey=https://repo.tox.im/toxbuild.pgp
It seems we do not import it from that gpgkey line yet...
So: wget https://repo.tox.im/toxbuild.pgp rpm --import toxbuild.pgp
Ciao, Marcus
I just tried this, immediately followed by zypper ref, and got this: Retrieving repository 'tox' metadata ...........................[error] Repository 'tox' is invalid. [|] Valid metadata not found at specified URL Please check if the URIs defined for this repository are pointing to a valid repository. Skipping repository 'tox' because of the above error. Some of the repositories have not been refreshed because of an error. Bob - -- Bob Williams System: Linux 3.11.10-17-desktop Distro: openSUSE 13.1 (x86_64) with KDE Development Platform: 4.13.3 Uptime: 06:00am up 17:52, 3 users, load average: 0.01, 0.02, 0.05 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlProqMACgkQ0Sr7eZJrmU5jrQCffVg/PS84veSo3+1CP4qtiA9g SoYAoJsumEHkVPtY9GkeVEGNnkgEvOBW =2ToN -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2014 10:38 AM, Bob Williams wrote:
Retrieving repository 'tox' metadata ...........................[error] Repository 'tox' is invalid. [|] Valid metadata not found at specified URL Please check if the URIs defined for this repository are pointing to a valid repository.
Bob: There was a brief down-time at the repository within the last hour or two. - -- Explain again the part about rm -rf / -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPrrzUACgkQv7M3G5+2DLJmGgCfRDc1A5AK/isR33rGyHZOIeDE GgoAoIsKveaGAMQEUq7B4Iy8Lxrjtm7Y =nu0X -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/08/14 19:32, John Andersen wrote:
On 08/13/2014 10:38 AM, Bob Williams wrote:
Retrieving repository 'tox' metadata ...........................[error] Repository 'tox' is invalid. [|] Valid metadata not found at specified URL Please check if the URIs defined for this repository are pointing to a valid repository.
Bob: There was a brief down-time at the repository within the last hour or two.
In that case, it's still down :-( I'll try again tomorrow. - -- Bob Williams System: Linux 3.11.10-17-desktop Distro: openSUSE 13.1 (x86_64) with KDE Development Platform: 4.13.3 Uptime: 06:00am up 17:52, 3 users, load average: 0.01, 0.02, 0.05 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPru/wACgkQ0Sr7eZJrmU7q7gCdHtnWg+0GTYT22U7ehHRJ+4M2 4u0AoIslby1vu1L8TfZuTGz1L7yCt+FH =8BzW -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/13/2014 12:26 PM, Bob Williams wrote:
On 13/08/14 19:32, John Andersen wrote:
On 08/13/2014 10:38 AM, Bob Williams wrote:
Retrieving repository 'tox' metadata ...........................[error] Repository 'tox' is invalid. [|] Valid metadata not found at specified URL Please check if the URIs defined for this repository are pointing to a valid repository.
Bob: There was a brief down-time at the repository within the last hour or two.
In that case, it's still down :-( I'll try again tomorrow.
Actually I just updated from that repo AFTER i sent you the message. - -- Explain again the part about rm -rf / -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.19 (GNU/Linux) iEYEARECAAYFAlPrvfsACgkQv7M3G5+2DLLQfQCaAq+sbbaKsFdqIymFsBQXAAtw 5EkAni3AcDcTO9hqiJLDhY83PWKIvby2 =TQT0 -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 13/08/14 20:35, John Andersen wrote:
On 08/13/2014 12:26 PM, Bob Williams wrote:
On 13/08/14 19:32, John Andersen wrote:
On 08/13/2014 10:38 AM, Bob Williams wrote:
Retrieving repository 'tox' metadata ...........................[error] Repository 'tox' is invalid. [|] Valid metadata not found at specified URL Please check if the URIs defined for this repository are pointing to a valid repository.
Bob: There was a brief down-time at the repository within the last hour or two.
In that case, it's still down :-( I'll try again tomorrow.
Actually I just updated from that repo AFTER i sent you the message.
Apologies, my bad. There was a mistake in the URI. - -- Bob Williams System: Linux 3.11.10-17-desktop Distro: openSUSE 13.1 (x86_64) with KDE Development Platform: 4.13.3 Uptime: 06:00am up 17:52, 3 users, load average: 0.01, 0.02, 0.05 -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iEYEARECAAYFAlPrwNsACgkQ0Sr7eZJrmU4x8gCeIn6lZCXkFLdAqri1vNhJ0F4R HH4An14Y3EpwwNPH4dXLToi2EPnmaMj/ =Y/am -----END PGP SIGNATURE----- -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (4)
-
Bob Williams -
Carlos E. R. -
John Andersen -
Marcus Meissner