On 8/11/2014 11:56 PM, Marcus Meissner wrote:
On Wed, Aug 06, 2014 at 02:45:27PM -0700, John Andersen wrote:
Where is the setting that tells yast which key servers to use. I wanted to add the tox.im repository and I keep getting alerts that the key can't be verified when I import it.
This key wasn't showing up on us pool key servers either but it did show up on some eu pool servers.
For software repositories, yast does not use the key servers.
It tries to import the repodata/repomd.xml.key file for YUM repos.
tox.repo has: [Tox] name=Tox baseurl=https://repo.tox.im/rpm/ gpgcheck=1 gpgkey=https://repo.tox.im/toxbuild.pgp
It seems we do not import it from that gpgkey line yet...
So: wget https://repo.tox.im/toxbuild.pgp rpm --import toxbuild.pgp
Ciao, Marcus
Sending direct and to list due to attachment..... Thanks, I discovered that, and had already done exactly as you suggested. But (perhaps because its a gpg key) there is another odd bug and I haven't the slightest Idea of who the report this to. After you import the Tox key, and you tell it the key is good, and you install the Tox client, everything is fine until they (tox.im) update this repository. Then PackageKit report there is a trust problem (every 20 minutes), "A security trust relationship is not present, Signature verification of Repository Tox.im failed." and sometimes just "signature verification failed". (2 different notifications). So some part of Packetekit or yast or zypp tool chain seems to attempt to verify signatures, and FAILS every time. As soon as you go into Yast you see the attached message. (image). So you once again tell it the signature is good, and update the tox client, and everything is OK, no more messages either from PackegeKit or Yast. Until they put another nightly out there, and then the warnings return. So something in handling of gpg keys (or at least their key) is confusing a simple package update (maybe a hash difference) with a failure of the key, or it triggers a fresh attempt to fetch the key, which fails as above. You update again, and no more warnings till the next nightly. When I manually tried to import their public signing key into Kgpg, it could not be verified with the pool keyservers, and I used a specific EU server. (zimmermann.mayfirst.org) and that verified the key in Kgpg. So, my line of reasoning was, If Kgpg can't find their key using pool servers, maybe that was the problem for PackageKit and yast, Hence my question as to what keyservers yast/zypp might use to verify keys. Note: I filed a bug report on Kleopatra because it wouldn't import ANY 4096byte keys, but is happy to work with those keys after you use Kgpg to import them). -- _____________________________________ ---This space for rent---