[packman] digests SIGNATURES NOT OK

Marc Schiffbauer marc at links2linux.de
Mon Dec 13 09:35:02 CET 2021


* Stefan Seyfried schrieb am 12.12.21 um 00:04 Uhr:
> On 12.12.21 09:20, Marc Schiffbauer wrote:
> > Hi Giacomo,
> > 
> > we should really create a new gpg key for the repo.
> > 
> > @Stefan: What do you think?
> 
> Another Stefan here, but still ;-)
> 
> Changing the key should be advertised in advance, in prominent places.
> 
> Really the best solution (if possible) would be if the new key could be
> signed by the old one and thus automatically accepted by zypper et al.
> I have no idea if this is even possible, nor how to implement it in OBS. A
> plain "osc signkey --create" will simply wipe the old one and create a new
> key, but that would cause a bad user experience :-(
> 
> Maybe we should ask security-team at suse.de for help on how to handle this
> best? They surely must be prepared for updating a key.


The signatures, that obs is attaching to the packages are not the same 
that the package sin the repo are signed with: All packages are being 
resigned in the release process to the mirrors.

But yes, signing a new key with the old one is a good idea.

-Marc

-- 
0xCA3E7BF67F979BE5 - F7FB 78F7 7CC3 79F6 DF07
                     6E9E CA3E 7BF6 7F97 9BE5



More information about the Packman mailing list