[zypp-devel] gpgkey ignored for rpm-md repositories?
Greetings: My rpm-md style repository contains *both* repository metadata GPG signatures (i.e. repomd.xml.asc) and RPM packages which have GPG signatures, created via rpm --addsign. On a YUM-based system (e.g., CentOS 7), I simply need to list all the necessary URLs for both repository GPG and package signing public keys with gpgkey=. When I update the metadata (via yum makecache) all listed keys are automatically imported to the correct place; package signing keys into rpm db and the repository signing key into the YUM keyring. On OpenSUSE 42.3 with zypper 1.13.40 and libzypp 16.17.10, I have noticed that none of the URLs specified with gpgkey= seem to be imported even after I run zypper --gpg-auto-import-keys refresh reponame. I have verified this by running rpm -qa | grep gpg-pubkey and saw that the keys specified in the repository configuration file were not imported to RPM DB. It seems that the only way to import a package signing key on OpenSUSE 42.3 for an rpm-md style repository is to run rpm --import file.key. Is this a known issue? Perhaps I am doing something wrong; maybe there is another command I should run to get zypper to import the keys listed with gpgkey other than "refresh" ? If my observation is correct that gpgkeys are not currently being imported by zypper, there might be a relatively straightforward solution: it appears that gpgkey URLs are being parsed from the repo config, they just aren't being used. Perhaps in RepoManager::Impl::refreshMetadata in addition to downloading the raw repository metadata and repository signing key into the cache directory, libzypp could also iterate across gpgKeyUrls() (via the RepoInfo object reference which is passed in), download the keys, and import them into rpm DB (if they have not already been imported). Thanks, Joe -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
On Tuesday 03 April 2018 06:49:44 Joe Damato wrote:
Greetings:
My rpm-md style repository contains *both* repository metadata GPG signatures (i.e. repomd.xml.asc) and RPM packages which have GPG signatures, created via rpm --addsign.
On a YUM-based system (e.g., CentOS 7), I simply need to list all the necessary URLs for both repository GPG and package signing public keys with gpgkey=. When I update the metadata (via yum makecache) all listed keys are automatically imported to the correct place; package signing keys into rpm db and the repository signing key into the YUM keyring.
On OpenSUSE 42.3 with zypper 1.13.40 and libzypp 16.17.10, I have noticed that none of the URLs specified with gpgkey= seem to be imported even after I run zypper --gpg-auto-import-keys refresh reponame. I have verified this by running rpm -qa | grep gpg-pubkey and saw that the keys specified in the repository configuration file were not imported to RPM DB. It seems that the only way to import a package signing key on OpenSUSE 42.3 for an rpm-md style repository is to run rpm --import file.key.
Is this a known issue? Perhaps I am doing something wrong; maybe there is another command I should run to get zypper to import the keys listed with gpgkey other than "refresh" ?
No, you're doing it right. ZYPP is actually not looking into the gpgkey entries. I filed a bug for it at https://bugzilla.suse.com/show_bug.cgi?id=1088037 -- cu, Michael Andres +------------------------------------------------------------------+ Key fingerprint = 2DFA 5D73 18B1 E7EF A862 27AC 3FB8 9E3A 27C6 B0E4 +------------------------------------------------------------------+ Michael Andres SUSE LINUX GmbH, Development, ma@suse.com Maxfeldstrasse 5, D-90409 Nuernberg, Germany, ++49 (0)911 - 74 053-0 +------------------------------------------------------------------+ SUSE Linux GmbH, GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) +------------------------------------------------------------------+ -- To unsubscribe, e-mail: zypp-devel+unsubscribe@opensuse.org To contact the owner, e-mail: zypp-devel+owner@opensuse.org
participants (2)
-
Joe Damato -
Michael Andres