[packman] Packman repository migration: done

Pascal Bleser pascal.bleser at opensuse.org
Thu Mar 10 17:05:14 CET 2011 

What happened earlier about the broken repository signature: we
simply forgot to update the signature after creating the
metadata (it's a bit more complex, but in essence, it's what
happened).

This is fixed now, and all mirrors [1] should be up-to-date with
correct signatures.

Most of you who have been using the Packman repository for some
time probably remember the hassle that YaST and zypper were
always complaining about "NOKEY" on the packages.
The reason was that our packages were signed with a different
key than the repository metadata.
Zypper and YaST have a mechanism to import keys when you refresh
a repository for the first time: it's when it prompts you
whether you want to accept that key temporarily/always/etc...

The problem for Packman is that it imports the key
(repodata/repomd.xml.key) that is used to sign the repository
metadata (repodata/repomd.xml.asc), but it doesn't have any
mechanism to also import another key that is used to sign the
RPM files (the signatures are inside the RPM files).

Now we implemented a mechanism to re-sign the packages with the
same key as the one used for the repository metadata and, hence,
there won't be any "NOKEY" warnings nor any need to install the
package "rpmkey-packman" any more.

On a side note, here is the relevant data about that key:
* it's a 4096 RSA key
* Key ID: 45A1D0671ABD1AFB
  (shows up as ID "1ABD1AFB" in RPM)
* Key Name: PackMan Project (signing key) <packman at links2linux.de>
* Key Fingerprint: F8875B880D518B6B8C530D1345A1D0671ABD1AFB
* Key Created: Mon Sep 20 20:37:32 2010
* Key Expires: Fri Sep 19 20:37:11 2014

Apart from that, Marc Schiffbauer and I finished implementing a
mechanism to prevent mirrors from pulling files while our OBS
instance is pushing files into the same tree, which has lead to
repositories being a bit corrupt/incomplete over the past week.

As already explained, if you're missing a package that used to
be in the Packman repository but isn't any more, please poke us
(gently ;)) at packman at links2linux.de

[1] http://packman.links2linux.org/MIRRORS.html

cheers
-- 
  -o) Pascal Bleser
  /\\ http://opensuse.org -- we haz green
 _\_v http://fosdem.org   -- we haz conf
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 190 bytes
Desc: not available
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20110310/e94d408f/attachment.sig>

More information about the Packman mailing list