tickets #128438
closedOpensuse GPG keys official URLs
0%
Description
Hi,
For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?
Cheers,
Daan De Meyer
Files
Updated by crameleon over 1 year ago
- Private changed from Yes to No
Every repository has its signing key in repodata/repomd.xml.key
.
Updated by daan.j.demeyer@gmail.com over 1 year ago
This seems to work for tumbleweed but fails for stable with GPG check
failures for e.g. system-user-root. Are there any more keys that have
to be configured for the stable distribution?
Cheers,
Daan
On Fri, 28 Apr 2023 at 21:23, redmine@opensuse.org wrote:
[openSUSE Tracker]
Issue #128438 has been updated by crameleon.Private changed from Yes to No
Every repository has its signing key in
repodata/repomd.xml.key
.
tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628259
- Author: daan.j.demeyer@gmail.com
- Status: New
- Priority: Normal
- Assignee:
- Category:
* Target version:¶
Hi,
For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?Cheers,
Daan De Meyer
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account
Updated by crameleon over 1 year ago
Every repository has its signing key at this location. Relative to the root of the respective repository.
Updated by crameleon over 1 year ago
Example for the OSS repository for 15.4:
https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key
Example for Tumbleweed:
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
Example for a random OBS project's 15.4 repository:
https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key
As you can tell, it's always in the same location.
Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.
Updated by daan.j.demeyer@gmail.com over 1 year ago
I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.
Cheers,
Daan
On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:
[openSUSE Tracker]
Issue #128438 has been updated by crameleon.Example for the OSS repository for 15.4:
https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key
Example for Tumbleweed:
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
Example for a random OBS project's 15.4 repository:
https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key
As you can tell, it's always in the same location.
Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.
tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745
- Author: daan.j.demeyer@gmail.com
- Status: New
- Priority: Normal
- Assignee:
- Category:
* Target version:¶
Hi,
For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?Cheers,
Daan De Meyer
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account
Updated by daan.j.demeyer@gmail.com over 1 year ago
Apologies, this was a red herring. It seems we are importing the
necessary keys, but on Fedora 38, the opensuse stable RPM signatures
are considered invalid. I get the following error from rpm on the
opensuse stable rpms: Header RSA signature: BAD (header tag 268:
invalid OpenPGP signature)
I assume this isn't something that can be easily fixed on opensuse's side?
Cheers,
Daan
On Wed, 3 May 2023 at 11:30, Daan De Meyer daan.j.demeyer@gmail.com wrote:
I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.Cheers,
Daan
On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:
[openSUSE Tracker]
Issue #128438 has been updated by crameleon.Example for the OSS repository for 15.4:
https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key
Example for Tumbleweed:
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
Example for a random OBS project's 15.4 repository:
https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key
As you can tell, it's always in the same location.
Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.
tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745
- Author: daan.j.demeyer@gmail.com
- Status: New
- Priority: Normal
- Assignee:
- Category:
* Target version:¶
Hi,
For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?Cheers,
Daan De Meyer
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account
Updated by daan.j.demeyer@gmail.com over 1 year ago
To fully close this out, it turns out there were two issues. The first
one was the keys. I figured out that in repomd.xml for each , there
are extra keys listed that should be used (see
https://bugzilla.opensuse.org/show_bug.cgi?id=1184326). I download
that file now and read the gpg key names and list them as extra gpg
keys in the dnf repo file. The second issue is that for the stable
releases, the rpm-sequoia crypto backend policy on Fedora 38 rejects
the certificate used for the signatures. I haven't figured out how to
solve that one. For now it won't be possible to use mkosi to build
opensuse stable releases on Fedora 38.
Cheers,
Daan
On Wed, 3 May 2023 at 12:09, Daan De Meyer daan.j.demeyer@gmail.com wrote:
Apologies, this was a red herring. It seems we are importing the
necessary keys, but on Fedora 38, the opensuse stable RPM signatures
are considered invalid. I get the following error from rpm on the
opensuse stable rpms: Header RSA signature: BAD (header tag 268:
invalid OpenPGP signature)I assume this isn't something that can be easily fixed on opensuse's side?
Cheers,
Daan
On Wed, 3 May 2023 at 11:30, Daan De Meyer daan.j.demeyer@gmail.com wrote:
I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.Cheers,
Daan
On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:
[openSUSE Tracker]
Issue #128438 has been updated by crameleon.Example for the OSS repository for 15.4:
https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key
Example for Tumbleweed:
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
Example for a random OBS project's 15.4 repository:
https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key
As you can tell, it's always in the same location.
Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.
tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745
- Author: daan.j.demeyer@gmail.com
- Status: New
- Priority: Normal
- Assignee:
- Category:
* Target version:¶
Hi,
For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?Cheers,
Daan De Meyer
--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account
Updated by luc14n0 over 1 year ago
Hi there Daan,
I'm a bit late to bring something to the table, but if you still have interest on this, you could either try out the #opensuse-factory where the folks from openSUSE Release team probably can shed some light on this one for you; or you could send a mail to the Factory mailing list instead.
Cheers,
Luciano