[packman] Project signing key cannot be extended on PMBS - Bug?

Manfred Hollstein manfred.h at gmx.net
Wed Oct 14 13:41:54 CEST 2020 

Hi Stefan,

On Wed, 14 Oct 2020, 13:32:47 +0200, Stefan Botter wrote:
> Hi Manfred,
> 
> Am Mittwoch, den 14.10.2020, 10:36 +0200 schrieb Manfred Hollstein:
> > yesterday I got the message from "zypper ref -f" that my project
> > signing
> > key on PMBS will expire in 8 days. I then used the following command
> > to
> > extend the key's lifetime:
> > 
> >   osc -A pmbs signkey --extend home:manfred.h
> > 
> > where "pmbs" is an alias for "https://pmbs-api.links2linux.de" in my
> > ~/.oscrc
> > 
> > Although running that command resulted in
> > 
> >   <status code="ok" />
> > 
> > it didn't appear to have changed anything as "zypper ref -f" today now
> > shows this for my key:
> > 
> >   The gpg key signing file 'repomd.xml' will expire in 7 days.
> >     Repository:       home:manfred.h:pmbs.obs
> >     Key Name:         home:manfred.h OBS Project <home:
> > manfred.h at packman.links2linux.de>
> >     Key Fingerprint:  7D2E3C09 B9D9BE6A 10EEA70D BEBA8597 97A18328
> >     Key Created:      Mon Aug 13 15:16:23 2018
> >     Key Expires:      Wed Oct 21 15:16:23 2020 (expires in 7 days)
> >     Rpm Name:         gpg-pubkey-97a18328-5b7184a7
> > 
> > @Stefan, can you please check if key managemend in PMBS works as
> > expected?
> 
> Yes, apart from the reported problem with MakeMKV there should be no
> other problem - at least I hope so :)
> 
> GPG key handling in OBS should be automatic, usually there is no need to
> manually extend the key lifetime - as far as I know, and have gathered
> from OBS developers, mailinglist and IRC chat.
> Upon publishing of new packages the repository is recreated. If the GPG
> key is expired (or perhaps near expiring - IDK), the key's lifetime is
> extended, and the repo is signed with the extended key.
> 
> Of course you can manually extend the key for your repo, and you did so
> successfully. Have a look at 
> https://pmbs.links2linux.de/project/show/home:manfred.h
> and click on the "GPG Key / SSL Certificate" link. This will show you
> the expiry date of Dec 23rd, 2022, and gives your the opportunity to
> download the public key.
> 
> Your repository on the other hand is still signed with the "old"/non-
> extended key. Once a package is rebuild and published - the package has
> to be changed(!) - the repo is signed with the extended key.
> This behavior is probably a shortcoming in OBS, but usually - normally -
> actually - erm, how should I phrase this - packages inside a repo are
> "live", and there is no week going by without changes to packages in
> repos :) so you will not approach the problem with an expiring key.
> It happens, though, when you have a repo with more or less static
> packages inside, which do not get updated or changed due to rebuilds.

thanks a lot for the great explanation! Indeed, I mostly use my repo to
check newer Kodi based stuff, which apparently happened quite some time
ago...

> Submit a "nonsense" package, let it build and publish, and delete the
> package. Then your repo will be signed with the extended key.

Will do so! Thanks again for your great work!

> Greetings,
> 
> Stefan

Cheers.

l8er
manfred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20201014/a4d64e68/attachment.sig>

More information about the Packman mailing list