Project

General

Profile

Actions

tickets #128438

closed

Opensuse GPG keys official URLs

Added by daan.j.demeyer@gmail.com about 1 year ago. Updated 12 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
-
Target version:
-
Start date:
2023-04-28
Due date:
% Done:

0%

Estimated time:

Description

Hi,

For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?

Cheers,

Daan De Meyer


Files

opensuse (4.54 KB) opensuse daan.j.demeyer@gmail.com, 2023-05-03 09:30
Actions #1

Updated by crameleon about 1 year ago

  • Private changed from Yes to No

Every repository has its signing key in repodata/repomd.xml.key.

Actions #2

Updated by daan.j.demeyer@gmail.com about 1 year ago

This seems to work for tumbleweed but fails for stable with GPG check
failures for e.g. system-user-root. Are there any more keys that have
to be configured for the stable distribution?

Cheers,

Daan

On Fri, 28 Apr 2023 at 21:23, redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #128438 has been updated by crameleon.

Private changed from Yes to No

Every repository has its signing key in repodata/repomd.xml.key.


tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628259

* Target version:

Hi,

For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?

Cheers,

Daan De Meyer

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Actions #3

Updated by crameleon about 1 year ago

Every repository has its signing key at this location. Relative to the root of the respective repository.

Actions #4

Updated by crameleon about 1 year ago

Example for the OSS repository for 15.4:

https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key

Example for Tumbleweed:

https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key

Example for a random OBS project's 15.4 repository:

https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key

As you can tell, it's always in the same location.

Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.

Actions #5

Updated by daan.j.demeyer@gmail.com about 1 year ago

I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.

Cheers,

Daan

On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #128438 has been updated by crameleon.

Example for the OSS repository for 15.4:

https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key

Example for Tumbleweed:

https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key

Example for a random OBS project's 15.4 repository:

https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key

As you can tell, it's always in the same location.

Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.


tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745

* Target version:

Hi,

For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?

Cheers,

Daan De Meyer

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Actions #6

Updated by daan.j.demeyer@gmail.com about 1 year ago

Apologies, this was a red herring. It seems we are importing the
necessary keys, but on Fedora 38, the opensuse stable RPM signatures
are considered invalid. I get the following error from rpm on the
opensuse stable rpms: Header RSA signature: BAD (header tag 268:
invalid OpenPGP signature)

I assume this isn't something that can be easily fixed on opensuse's side?

Cheers,

Daan

On Wed, 3 May 2023 at 11:30, Daan De Meyer daan.j.demeyer@gmail.com wrote:

I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.

Cheers,

Daan

On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #128438 has been updated by crameleon.

Example for the OSS repository for 15.4:

https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key

Example for Tumbleweed:

https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key

Example for a random OBS project's 15.4 repository:

https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key

As you can tell, it's always in the same location.

Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.


tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745

* Target version:

Hi,

For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?

Cheers,

Daan De Meyer

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Actions #7

Updated by daan.j.demeyer@gmail.com about 1 year ago

To fully close this out, it turns out there were two issues. The first
one was the keys. I figured out that in repomd.xml for each , there
are extra keys listed that should be used (see
https://bugzilla.opensuse.org/show_bug.cgi?id=1184326). I download
that file now and read the gpg key names and list them as extra gpg
keys in the dnf repo file. The second issue is that for the stable
releases, the rpm-sequoia crypto backend policy on Fedora 38 rejects
the certificate used for the signatures. I haven't figured out how to
solve that one. For now it won't be possible to use mkosi to build
opensuse stable releases on Fedora 38.

Cheers,

Daan

On Wed, 3 May 2023 at 12:09, Daan De Meyer daan.j.demeyer@gmail.com wrote:

Apologies, this was a red herring. It seems we are importing the
necessary keys, but on Fedora 38, the opensuse stable RPM signatures
are considered invalid. I get the following error from rpm on the
opensuse stable rpms: Header RSA signature: BAD (header tag 268:
invalid OpenPGP signature)

I assume this isn't something that can be easily fixed on opensuse's side?

Cheers,

Daan

On Wed, 3 May 2023 at 11:30, Daan De Meyer daan.j.demeyer@gmail.com wrote:

I've attached the output when I try to build an opensuse image with
mkosi using dnf, including the contents of the dnf.conf that we pass
to dnf containing the Suse repo definitions. You can see that we
import the GPG key from
https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key
but we still get GPG check failed. If I do the same build but using
"tumbleweed" instead of "current", the build succeeds. So it seems
that the key in the tumbleweed repo is sufficient, but to build
"current", we're still missing some key, even after importing the key
from https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key.

Cheers,

Daan

On Tue, 2 May 2023 at 19:22, redmine@opensuse.org wrote:

[openSUSE Tracker]
Issue #128438 has been updated by crameleon.

Example for the OSS repository for 15.4:

https://download.opensuse.org/distribution/leap/15.4/repo/oss/repodata/repomd.xml.key

Example for Tumbleweed:

https://download.opensuse.org/distribution/openSUSE-current/repo/oss/repodata/repomd.xml.key

Example for a random OBS project's 15.4 repository:

https://download.opensuse.org/repositories/devel:/languages:/python/15.4/repodata/repomd.xml.key

As you can tell, it's always in the same location.

Maybe you could clarify what you are trying to do and what issues you are experiencing, because the URL's to the keys work fine with zypper, and I know of other people using dnf with no issues.


tickets #128438: Opensuse GPG keys official URLs
https://progress.opensuse.org/issues/128438#change-628745

* Target version:

Hi,

For building opensuse images with mkosi, I'd like to use dnf instead
of zypper. I'd like to use remote gpgurls in the dnf repo files to
retrieve the OpenSUSE GPG keys but I haven't been able to find an
official location to download these from that I could encode in the
dnf repo files. Neal Gompa advised me to reach out to this address to
see if we could get an official stable location for the GPG keys
online that could be used as the gpgurl field in the dnf repo files
for Opensuse. Any chance these keys are already uploaded at a stable
location somewhere or they could be uploaded somewhere for this
purpose?

Cheers,

Daan De Meyer

--
You have received this notification because you have either subscribed to it, or are involved in it.
To change your notification preferences, please click here: http://progress.opensuse.org/my/account

Actions #8

Updated by luc14n0 about 1 year ago

Hi there Daan,

I'm a bit late to bring something to the table, but if you still have interest on this, you could either try out the #opensuse-factory where the folks from openSUSE Release team probably can shed some light on this one for you; or you could send a mail to the Factory mailing list instead.

Cheers,
Luciano

Actions #9

Updated by luc14n0 about 1 year ago

  • Status changed from New to Feedback
Actions #10

Updated by crameleon 12 months ago

  • Status changed from Feedback to Closed

No feedback, closing.

Actions

Also available in: Atom PDF