[packman] packages signed with two different keys?

Pascal Bleser pascal.bleser at skynet.be
Sat Jan 23 16:10:06 CET 2010 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 01/11/2010 11:22 AM, Mathias Homann wrote:
> Am Montag, 11. Januar 2010 10:40:06 schrieb Kyrill Detinov:
>> On Monday 11 January 2010 11:55:45 Mathias Homann wrote:
>>> Seems that the packman build service uses more than one key... and
>>> zypper can't handle that...
>>> any fixes?
>> There is a package rpmkey-packman in repository.
> 
> that's not the point.
> the point is that zypper can, and will, fetch the appropriate key from within 
> the repository. BUT for this to work it can only be ONE key, not more than 
> one.
> OBS (which from what i understand is the underlying build environment) does 
> exatly that: it signs all packages with the same key.
> So, if there are packages in packman that are signed with a different key, 
> they HAVE to be from a different source... which might not be trustworthy.
> After all, that's what signing packages is all about.

We are well aware of that :)

The reason is that we have a distributed build and publishing
environment, where we indeed use OBS to build (and sign) packages, but
then transmit them to another host that serves as the canonical mirror.

The repository metadata generated and signed on that latter server for
historical reasons (we weren't using OBS in the past, and for 11.0 and
11.1 we have a mix of packages built with our own build scripts as well
as packages built with our OBS instance).

For now, I'm afraid that the only solution is to proceed as Kyrill
explained: zypper in rpmkey-packman

But we should be able to change/fix that for >= 11.2, as from there on,
everything is built with our OBS instance (and hence, the repository
metadata generated on OBS can be used verbatim). Nevertheless, it's not
as trivial as it might sound, as it requires several changes to our
infrastructure. Which means it won't happen right now ;)
I'm adding that on my post-FOSDEM TODO-list ;)

cheers
- -- 
  -o) Pascal Bleser     http://linux01.gwdg.de/~pbleser/
  /\\ <pascal.bleser at skynet.be>       <guru at unixtech.be>
 _\_v The more things change, the more they stay insane.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iD8DBQFLWxFNr3NMWliFcXcRAkysAJ9cRDh5h4HwYV2EQwtt2hZgEaM5vwCfV6jK
cD54o021J5msd9o74TE2C2U=
=ALrk
-----END PGP SIGNATURE-----

More information about the Packman mailing list