commit suse-build-key for openSUSE:Factory

Fri, 20 Mar 2026 13:21:46 -0700 

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package suse-build-key for openSUSE:Factory 
checked in at 2026-03-20 21:20:01
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/suse-build-key (Old)
 and      /work/SRC/openSUSE:Factory/.suse-build-key.new.8177 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Package is "suse-build-key"

Fri Mar 20 21:20:01 2026 rev:50 rq:1341188 version:12.0

Changes:
--------
--- /work/SRC/openSUSE:Factory/suse-build-key/suse-build-key.changes    
2025-07-11 21:34:05.714915679 +0200
+++ /work/SRC/openSUSE:Factory/.suse-build-key.new.8177/suse-build-key.changes  
2026-03-20 21:20:30.207238304 +0100
@@ -1,0 +2,12 @@
+Thu Mar 19 15:36:05 UTC 2026 - Marcus Meissner <[email protected]>
+
+- add the auto import framework
+
+-------------------------------------------------------------------
+Thu Mar 19 13:32:56 UTC 2026 - Marcus Meissner <[email protected]>
+
+- Added post quantum cryptographic keys for SLES 15 and SLES 16.
+  - build-pqc-15.pem
+  - build-pqc-16.pem
+
+-------------------------------------------------------------------

New:
----
  build-pqc-15.pem
  build-pqc-16.pem
  import-suse-build-key
  suse-build-key-import.service
  suse-build-key-import.timer

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ suse-build-key.spec ++++++
--- /var/tmp/diff_new_pack.pu9DEV/_old  2026-03-20 21:20:31.007271634 +0100
+++ /var/tmp/diff_new_pack.pu9DEV/_new  2026-03-20 21:20:31.007271634 +0100
@@ -1,7 +1,7 @@
 #
 # spec file for package suse-build-key
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2026 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -70,6 +70,20 @@
 #uid                             ALP Package Signing Key (reserve key) 
<[email protected]>
 Source6:        gpg-pubkey-73f03759-626bd414.asc
 
+#
+# ML-DSA 87 key for SLES 15
+#       Subject: CN=SUSE Linux Enterprise 15 Build PQC Key, C=DE, L=Nuremberg, 
O=SUSE Software Solutions Germany GmbH, OU=Build Team, 
[email protected]
+#           Not Before: Feb  9 14:48:46 2026 GMT
+#           Not After : Aug  2 14:48:46 2031 GMT
+Source11:       build-pqc-15.pem
+#
+# ML-DSA 87 key for SLES 15
+#       Subject: CN=SUSE Linux Enterprise 16 Build PQC Key, C=DE, L=Nuremberg, 
O=SUSE Software Solutions Germany GmbH, OU=Build Team, 
[email protected]
+#           Not Before: Feb  9 14:35:33 2026 GMT
+#           Not After : Aug  2 14:35:33 2031 GMT
+#
+Source12:       build-pqc-16.pem
+
 # new 4096 bit SLES container key.
 #pub   rsa4096/0x100CEB438FD6C337 2023-01-19 [SC] [expires: 2027-01-18]
 #      Key fingerprint = 2BFA 4649 1A1C FFA8 31EF  C4B6 100C EB43 8FD6 C337
@@ -98,10 +112,15 @@
 Source99:       security_at_suse_de.asc
 
 Source100:      dumpsigs
+Source101:      import-suse-build-key
+Source102:      suse-build-key-import.service
+Source103:      suse-build-key-import.timer
+
 
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 %define keydir  %{_prefix}/lib/rpm/gnupg/keys
+%define pqkeydir  %{_prefix}/lib/rpm/pqkeys
 %define containerkeydir  %{_prefix}/share/container-keys/
 %define pemcontainerkeydir  %{_prefix}/share/pki/containers/
 
@@ -142,6 +161,12 @@
 install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
 %endif
 
+# copy PQC certs
+install -d -m 755 $RPM_BUILD_ROOT/%pqkeydir
+install -c -m 644 %{SOURCE11} $RPM_BUILD_ROOT/%pqkeydir
+install -c -m 644 %{SOURCE12} $RPM_BUILD_ROOT/%pqkeydir
+
+# copy container certs, to both dirs
 install -d -m 755 $RPM_BUILD_ROOT%{containerkeydir}/
 install -c -m 644 %{SOURCE3} 
$RPM_BUILD_ROOT%{containerkeydir}/suse-container-key-old.asc
 install -c -m 644 %{SOURCE7} 
$RPM_BUILD_ROOT%{containerkeydir}/suse-container-key.asc
@@ -150,11 +175,33 @@
 install -c -m 644 %{SOURCE10} 
$RPM_BUILD_ROOT%{pemcontainerkeydir}/suse-container-key-old.pem
 install -c -m 644 %{SOURCE8} 
$RPM_BUILD_ROOT%{pemcontainerkeydir}/suse-container-key.pem
 
+mkdir -p $RPM_BUILD_ROOT/usr/bin/
+mkdir -p $RPM_BUILD_ROOT/var/lib/suse-build-key
+install -m 755 %{SOURCE101} $RPM_BUILD_ROOT/usr/bin/import-suse-build-key
+mkdir -p $RPM_BUILD_ROOT/%_unitdir
+install -m 644 %{SOURCE102} $RPM_BUILD_ROOT/%_unitdir
+install -m 644 %{SOURCE103} $RPM_BUILD_ROOT/%_unitdir
+
+%post
+touch /var/lib/%{name}/imported
+%service_add_post suse-build-key-import.service suse-build-key-import.timer
+test -x /usr/bin/systemctl && systemctl enable suse-build-key-import.timer && 
systemctl start suse-build-key-import.timer || true
+
+%pre
+%service_add_pre suse-build-key-import.service suse-build-key-import.timer
+
+%preun
+%service_del_preun suse-build-key-import.service suse-build-key-import.timer
+
+%postun
+%service_del_postun suse-build-key-import.service suse-build-key-import.timer
+
 %files
 %defattr(644,root,root)
 %doc security_at_suse_de.asc
 %attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg
 %attr(755,root,root) %dir %{keydir}
+%attr(755,root,root) %dir %{pqkeydir}
 %attr(755,root,root) %dir %{containerkeydir}
 %if 0%{?suse_version} &&  0%{?suse_version} < 1120
 %attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs
@@ -162,10 +209,17 @@
 %{keydir}/gpg-pubkey-*.asc
 %{keydir}/suse_ptf_4096_key.asc
 %{keydir}/suse_ptf_key.asc
+%{pqkeydir}/build-pqc-15.pem
+%{pqkeydir}/build-pqc-16.pem
 %{containerkeydir}/suse-container-key.asc
 %{containerkeydir}/suse-container-key-old.asc
 %dir /usr/share/pki/
 %dir %{pemcontainerkeydir}/
 %{pemcontainerkeydir}/suse-container-key.pem
 %{pemcontainerkeydir}/suse-container-key-old.pem
+%attr(755,root,root) %_bindir/import-suse-build-key
+%dir /var/lib/%{name}
+%ghost /var/lib/%{name}/imported
+%_unitdir/suse-build-key-import.service
+%_unitdir/suse-build-key-import.timer
 








++++++ import-suse-build-key ++++++
#!/bin/sh
#
triggerfile=/var/lib/suse-build-key/imported

# if zypp is running we will get into lock conflicts, and zypper might die
# unexpectedly.
if [ -s /run/zypp.pid ]; then
        echo "Aborted, zypper is running"
        exit 0
fi

# first remove trigger file
rm -f $triggerfile

# The import might fail if something has locked the RPM database. in that case 
we retry again on next boot or so.
for KFN in /usr/lib/rpm/gnupg/keys/gpg-pubkey-*.asc; do
    if [ ! -e "$KFN" ];then
        #
        # check if file exists because if the glob match did
        # not find files bash will use the glob string as
        # result and we just continue in this case
        #
        continue
    fi
    KEY=$(basename "$KFN" .asc)
    rpm -q "$KEY" >/dev/null && continue
    echo "Importing $KEY to rpm database"
    rpm --import "$KFN" || touch "$triggerfile"
done

# if we have finished import, disable and stop the timer.
if [ ! -f $triggerfile -a -x /usr/bin/systemctl ] ; then
        systemctl stop suse-build-key-import.timer
        systemctl disable suse-build-key-import.timer
fi

++++++ suse-build-key-import.service ++++++
[Unit]
Description=Import new SUSE RPM signing keys
ConditionPathExists=/var/lib/suse-build-key/imported
After=local-fs.target

[Service]
Type=oneshot
ExecStart=/usr/bin/import-suse-build-key

++++++ suse-build-key-import.timer ++++++
[Unit]
Description=Timer to import new SUSE RPM signing keys

[Timer]
OnBootSec=1h
OnCalendar=hourly

[Install]
WantedBy=timers.target

Reply via email to