[packman] Packman signing keys will expire...

Manfred Hollstein manfred.h at gmx.net
Tue Jun 17 21:21:36 CEST 2025 

Hi Stefan,

On Tue, 17 Jun 2025, 20:25:08 +0200, Stefan Seyfried wrote:
> Hi Manfred,
> 
> Am 17.06.25 um 14:05 schrieb Manfred Hollstein:
> > Hi there,
> > 
> > $ sudo zypper ref
> > ...
> > The gpg key signing file 'repomd.xml' will expire in 14 days.
> >    Repository:       packman-multimedia.obs
> >    Key Fingerprint:  5302 7CA5 85A8 0281 6CB3 B2C3 CB78 7E2A 6058 7B34
> >    Key Name:         Multimedia OBS Project <Multimedia at packman.links2linux.de>
> >    Key Algorithm:    RSA 2048
> >    Key Created:      Mon Apr 24 12:51:59 2023
> >    Key Expires:      Wed Jul  2 12:51:59 2025 (expires in 14 days)
> >    Rpm Name:         gpg-pubkey-60587b34-64465f4f
> > ...
> > The gpg key signing file 'repomd.xml' will expire in 12 days.
> >    Repository:       packman.obs
> >    Key Fingerprint:  52B1 F263 223D 311D 1FD0 4140 9045 A001 6946 124B
> >    Key Name:         Essentials OBS Project <Essentials at packman.links2linux.de>
> >    Key Algorithm:    RSA 2048
> >    Key Created:      Fri Apr 21 18:03:43 2023
> >    Key Expires:      Sun Jun 29 18:03:43 2025 (expires in 12 days)
> >    Rpm Name:         gpg-pubkey-6946124b-6442b3df
> > 
> > Dunno who can update the keys, but thought I'd report this.
> 
> Obs auto-extends these keys normally, and at least the essentials key seems
> to be extended already:
> 
> $ posc signkey Essentials|gpg
> gpg: WARNING: no command supplied.  Trying to guess what you mean ...
> pub   rsa2048 2014-05-15 [SC] [expires: 2027-08-25]
>       52B1F263223D311D1FD041409045A0016946124B
> uid           Essentials OBS Project <Essentials at packman.links2linux.de>
> 
> Multimedia is not yet:
> $ posc signkey Multimedia|gpg
> gpg: WARNING: no command supplied.  Trying to guess what you mean ...
> pub   rsa2048 2014-05-15 [SC] [expires: 2025-07-02]
>       53027CA585A802816CB3B2C3CB787E2A60587B34
> uid           Multimedia OBS Project <Multimedia at packman.links2linux.de>

OK, this is really good!

> But what repo URLs do you use to get the "raw" packman repos? Normally the
> repos (and packages) are re-sigened with this key:

http://pmbs.links2linux.de:8080/Essentials/$releasever/
http://pmbs.links2linux.de:8080/Multimedia/$releasever/
http://pmbs.links2linux.de:8080/Extra/$releasever/

> pub   rsa4096 2006-09-18 [SC] [expires: 2026-09-03]
>       F8875B880D518B6B8C530D1345A1D0671ABD1AFB
> uid           PackMan Project (signing key) <packman at links2linux.de>
> 
> before being sent to the mirrors...

Yep, I pull the stuff directly from PMBS...

> Best regards,
> -- 
> Stefan Seyfried

Cheers, l8er

manfred
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.links2linux.de/pipermail/packman/attachments/20250617/c146f34d/attachment.sig>

More information about the Packman mailing list