[packman] Project signing key cannot be extended on PMBS - Bug?

Stefan Botter jsj at jsj.dyndns.org
Wed Oct 14 13:32:47 CEST 2020 

Hi Manfred,

Am Mittwoch, den 14.10.2020, 10:36 +0200 schrieb Manfred Hollstein:
> yesterday I got the message from "zypper ref -f" that my project
> signing
> key on PMBS will expire in 8 days. I then used the following command
> to
> extend the key's lifetime:
> 
>   osc -A pmbs signkey --extend home:manfred.h
> 
> where "pmbs" is an alias for "https://pmbs-api.links2linux.de" in my
> ~/.oscrc
> 
> Although running that command resulted in
> 
>   <status code="ok" />
> 
> it didn't appear to have changed anything as "zypper ref -f" today now
> shows this for my key:
> 
>   The gpg key signing file 'repomd.xml' will expire in 7 days.
>     Repository:       home:manfred.h:pmbs.obs
>     Key Name:         home:manfred.h OBS Project <home:
> manfred.h at packman.links2linux.de>
>     Key Fingerprint:  7D2E3C09 B9D9BE6A 10EEA70D BEBA8597 97A18328
>     Key Created:      Mon Aug 13 15:16:23 2018
>     Key Expires:      Wed Oct 21 15:16:23 2020 (expires in 7 days)
>     Rpm Name:         gpg-pubkey-97a18328-5b7184a7
> 
> @Stefan, can you please check if key managemend in PMBS works as
> expected?

Yes, apart from the reported problem with MakeMKV there should be no
other problem - at least I hope so :)

GPG key handling in OBS should be automatic, usually there is no need to
manually extend the key lifetime - as far as I know, and have gathered
from OBS developers, mailinglist and IRC chat.
Upon publishing of new packages the repository is recreated. If the GPG
key is expired (or perhaps near expiring - IDK), the key's lifetime is
extended, and the repo is signed with the extended key.

Of course you can manually extend the key for your repo, and you did so
successfully. Have a look at 
https://pmbs.links2linux.de/project/show/home:manfred.h
and click on the "GPG Key / SSL Certificate" link. This will show you
the expiry date of Dec 23rd, 2022, and gives your the opportunity to
download the public key.

Your repository on the other hand is still signed with the "old"/non-
extended key. Once a package is rebuild and published - the package has
to be changed(!) - the repo is signed with the extended key.
This behavior is probably a shortcoming in OBS, but usually - normally -
actually - erm, how should I phrase this - packages inside a repo are
"live", and there is no week going by without changes to packages in
repos :) so you will not approach the problem with an expiring key.
It happens, though, when you have a repo with more or less static
packages inside, which do not get updated or changed due to rebuilds.

Submit a "nonsense" package, let it build and publish, and delete the
package. Then your repo will be signed with the extended key.


Greetings,

Stefan
-- 
Stefan Botter zu Hause
Bremen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20201014/997532fa/attachment.sig>

More information about the Packman mailing list