[packman] digests SIGNATURES NOT OK

Stefan Seyfried stefan.seyfried at googlemail.com
Mon Dec 13 21:03:10 CET 2021


Hi Marc,

On 13.12.21 09:35, Marc Schiffbauer wrote:
> * Stefan Seyfried schrieb am 12.12.21 um 00:04 Uhr: >> Really the best solution (if possible) would be if the new key could be
>> signed by the old one and thus automatically accepted by zypper et al.
>> I have no idea if this is even possible, nor how to implement it in OBS. A
>> plain "osc signkey --create" will simply wipe the old one and create a new
>> key, but that would cause a bad user experience :-(
>>
>> Maybe we should ask security-team at suse.de for help on how to handle this
>> best? They surely must be prepared for updating a key.
> 
> 
> The signatures, that obs is attaching to the packages are not the same
> that the package sin the repo are signed with: All packages are being
> resigned in the release process to the mirrors.

Ok, this at least saves us from having to teach OBS to use a very custom 
key ;-)

> But yes, signing a new key with the old one is a good idea.

...only if the tools (zypper, yast, rpm) actually accept this "new key 
signed with old one" without crazy warnings ;-)

If they still complain, then we do not win too much (but also will not 
lose anything) by signing the new key with te old one.
-- 
Stefan Seyfried

"For a successful technology, reality must take precedence over
  public relations, for nature cannot be fooled." -- Richard Feynman



More information about the Packman mailing list