[packman] Package availability, was: Re: signing seems to hang somewhere

Stefan Botter jsj at jsj.dyndns.org
Sat Feb 27 08:11:21 CET 2021 

Hi all,

as I have feared, there are problems with publishing of packages.

Am Mittwoch, den 24.02.2021, 16:25 +0100 schrieb Stefan Botter:
:
> Yes, I can confirm this problem. It is connected with the expired GPG
> key - and probably with something I fscked meanwhile.
> 
> I have been trying for a while now, and could be the Multimedia
> project
> to sign. There might be a problem with 
> - other projects/repositories, and
> - publishing to the packman server

Exactly that happened.
This is caused by the unique way we publish built packages to the
repositories, which are synced to the mirrors:
PMBS builds packages (the regular OBS way) and signs them with the
respective repository key. Once all packages for a repo are built, the
repo gets published - and here we sync them to packman.links2linux.de.
There is a publishing mechanism, which re-signs the packages with the
official packman key, puts entries in the database backing the website
and creates the repositories for the mirrors.

For security reasons the re-signing step checks the signatures, with
which the packages arrive. There is a positive-list, and only signatures
on that list are considered "okay" for re-signing and publishing.

As I wrote last Wednesday, the ultimate problem was the expired PMBS
key, which in turn sings the publishing keys for PMBS's repos, and I had
to recreate the key for the Multimedia repo. 
This key has changed, and re-signing at packman.links2linux.de fails,
and the packages are not published to the mirrors.

There are two possible ways to fix this:
1. allow the actual Multimedia repo key to be accepted on
packman.links2linux.de
2. reinstate the old Multimedia repo key on PMBS.

The first option needs an action on packman.links2linux.de -> I have to
ask Marc to do the change (he is busy ATM, and this may take a while).

The second option may work, as I have backups, and the Open Build
Service keeps such information. I have read somewhere, that manually
forcing a pre-existing key in a build service instance, but do not know
- how to do that (probably something with obs_admin), and
- if this will succeed.

Anyway, the packages will resurface, but it may take time.
I will announce a downtime for PMBS in my next mail, and can face the
repo-key issue after I have moved PMBS to its new home at the hosted
server.


Greetings,

Stefan
-- 
Stefan Botter zu Hause
Bremen
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: This is a digitally signed message part
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20210227/6849b07e/attachment.sig>

More information about the Packman mailing list