[packman] digests SIGNATURES NOT OK

Giacomo Comes comes at naic.edu
Sun Dec 12 14:44:59 CET 2021

On Sun, Dec 12, 2021 at 11:55:33AM +0100, Carlos E. R. wrote:
> On 12/12/2021 11.04, Stefan Seyfried wrote:
> >On 12.12.21 09:20, Marc Schiffbauer wrote:
> >>Hi Giacomo,
> >>
> >>we should really create a new gpg key for the repo.
> >>
> >>@Stefan: What do you think?
> >
> >Another Stefan here, but still ;-)
> >
> >Changing the key should be advertised in advance, in prominent places.
> >
> >Really the best solution (if possible) would be if the new key could be
> >signed by the old one and thus automatically accepted by zypper et al.
> >I have no idea if this is even possible, nor how to implement it in OBS. A
> >plain "osc signkey --create" will simply wipe the old one and create a new
> >key, but that would cause a bad user experience :-(
> I think you sign a key the same way you do for email.
> You must have both keys in a ring, and use the pgp command to sign one with
> the other. You need the private key of the old one to do this. And then, you
> upload this change to the key servers to propagate.
> something like:
> gpg2 --edit-key somekey sign

I have more information about the key problem.

Some time ago the package rpm in opensuse was patched with
a pgp hardening changes from upstream (bsc#1185299)
This caused a problem with the current packman key.
However, the key itselt is not bad. It's just that
the rpm code before patching and the code after patching 
will consider the same key as different.

The solution for me was to delete the packman key
(rpm -e gpg-pubkey-1abd1afb-54176598) and then,
when asked, reimport the key.

After that, everything worked fine.


More information about the Packman mailing list