Hi, I tried again to build my python 2 project: https://copr.fedoraproject.org/coprs/hnakamur/hnscl-python2-python/
And this time the RPMs were signed properly! Thanks! 2015-12-25 10:49 GMT+09:00 Hiroaki Nakamura <[email protected]>: > Hi. > > I checked the value for the Signature header of another rpm I built, > which I can successfully install with yum. > > The project pages is https://copr.fedoraproject.org/coprs/hnakamur/nodejs/ > I installed the nodejs rpm with the following command. > > ``` > $ (cd /etc/yum.repos.d && sudo curl -sLO > https://copr.fedoraproject.org/coprs/hnakamur/nodejs/repo/epel-7/hnakamur-nodejs-epel-7.repo) > $ sudo yum -y install nodejs > ``` > > And I check the value for the Signature header. > > ``` > $ rpm -qi nodejs > Name : nodejs > Version : 4.2.4 > Release : 1.el7.centos > Architecture: x86_64 > Install Date: Fri Dec 25 01:42:38 2015 > Group : Development/Libraries > Size : 21159862 > License : MIT License > Signature : RSA/SHA1, Fri Dec 25 01:39:27 2015, Key ID 171a73c11efd624f > Source RPM : nodejs-4.2.4-1.el7.centos.src.rpm > Build Date : Fri Dec 25 01:39:02 2015 > Build Host : copr-builder-457549204.novalocal > Relocations : /usr > Packager : Kazuhisa Hara <[email protected]> > Vendor : Fedora Project COPR (hnakamur/nodejs) > URL : https://nodejs.org > Summary : Node.js is a server-side JavaScript environment that > uses an asynchronous event-driven model. > Description : > Node.js is a server-side JavaScript environment that uses an > asynchronous event-driven model. > This allows Node.js to get excellent performance based on the > architectures of many Internet applications. > ``` > > The value of the Signature header is "RSA/SHA1, Fri Dec 25 01:39:27 > 2015, Key ID 171a73c11efd624f", > which is different from the value of "(none)" for > hn-python2-python-libs as I written in my previous mail. > > Why the difference happened? > > > 2015-12-25 1:10 GMT+09:00 Hiroaki Nakamura <[email protected]>: >> Hi. >> >> I read the yum source code. >> >> The message 'Package xxx is not signed' is printed at the line 2175 of >> yum/__init__.py. >> >> http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=yum/__init__.py;h=99039e0ecdbcfcec25ab6084b0a92333bbc4f03a;hb=02a6d7ad9752e67812460a67400826313bbc5326#l2146 >> >> ``` >> 2146 ts = self.rpmdb.readOnlyTS() >> 2147 sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg()) >> 2148 localfn = os.path.basename(po.localPkg()) >> 2149 >> 2150 if sigresult == 0: >> 2151 result = 0 >> 2152 msg = '' >> 2153 >> 2154 elif sigresult == 1: >> 2155 if hasgpgkey: >> 2156 result = 1 >> 2157 else: >> 2158 result = 2 >> 2159 msg = _('Public key for %s is not installed') % localfn >> 2160 >> 2161 elif sigresult == 2: >> 2162 result = 2 >> 2163 msg = _('Problem opening package %s') % localfn >> 2164 >> 2165 elif sigresult == 3: >> 2166 if hasgpgkey: >> 2167 result = 1 >> 2168 else: >> 2169 result = 2 >> 2170 result = 1 >> 2171 msg = _('Public key for %s is not trusted') % localfn >> 2172 >> 2173 elif sigresult == 4: >> 2174 result = 2 >> 2175 msg = _('Package %s is not signed') % localfn >> ``` >> >> The case for return value of checkSig is 4 is at the line 88 in >> rpmUtils/miscutils.py. >> >> http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=rpmUtils/miscutils.py;h=aea455082c91c51bcc5986174c2bd1f699ff1d94;hb=02a6d7ad9752e67812460a67400826313bbc5326#l61 >> >> ``` >> 61 def checkSig(ts, package): >> 62 """Takes a transaction set and a package, check it's sigs, >> 63 return 0 if they are all fine >> 64 return 1 if the gpg key can't be found >> 65 return 2 if the header is in someway damaged >> 66 return 3 if the key is not trusted >> 67 return 4 if the pkg is not gpg or pgp signed""" >> 68 >> 69 value = 0 >> 70 currentflags = ts.setVSFlags(0) >> 71 fdno = os.open(package, os.O_RDONLY) >> 72 try: >> 73 hdr = ts.hdrFromFdno(fdno) >> 74 except rpm.error, e: >> 75 if str(e) == "public key not availaiable": >> 76 value = 1 >> 77 if str(e) == "public key not available": >> 78 value = 1 >> 79 if str(e) == "public key not trusted": >> 80 value = 3 >> 81 if str(e) == "error reading package header": >> 82 value = 2 >> 83 else: >> 84 error, siginfo = getSigInfo(hdr) >> 85 if error == 101: >> 86 os.close(fdno) >> 87 del hdr >> 88 value = 4 >> 89 else: >> 90 del hdr >> 91 >> 92 try: >> 93 os.close(fdno) >> 94 except OSError, e: # if we're not opened, don't scream about it >> 95 pass >> 96 >> 97 ts.setVSFlags(currentflags) # put things back like they were before >> 98 return value >> 99 >> 100 def getSigInfo(hdr): >> 101 """checks signature from an hdr hand back signature information >> and/or >> 102 an error code""" >> 103 >> 104 locale.setlocale(locale.LC_ALL, 'C') >> 105 string = >> '%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|' >> 106 siginfo = hdr.sprintf(string) >> 107 if siginfo != '(none)': >> 108 error = 0 >> 109 sigtype, sigdate, sigid = siginfo.split(',') >> 110 else: >> 111 error = 101 >> 112 sigtype = 'MD5' >> 113 sigdate = 'None' >> 114 sigid = 'None' >> 115 >> 116 infotuple = (sigtype, sigdate, sigid) >> 117 return error, infotuple >> ``` >> >> The case when checkSig returns 4 corresponds to the line 111 above. >> >> I ran rpm -qi to see the rpm information and I found the value of >> 'Signature' field is '(none)'. Is it OK? >> >> ``` >> $ rpm -qi -p >> /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm >> Name : hn-python2-python-libs >> Version : 2.7.11 >> Release : 3.el7.centos >> Architecture: x86_64 >> Install Date: (not installed) >> Group : Applications/System >> Size : 27548758 >> License : Python >> Signature : (none) >> Source RPM : hn-python2-python-2.7.11-3.el7.centos.src.rpm >> Build Date : Wed Dec 23 06:45:59 2015 >> Build Host : copr-builder-27528630.novalocal >> Relocations : (not relocatable) >> Vendor : Fedora Project COPR (hnakamur/hnscl-python2-python) >> URL : http://www.python.org/ >> Summary : Runtime libraries for Python >> Description : >> This package contains runtime libraries for use by Python: >> - the libpython dynamic library, for use by applications that embed Python as >> a scripting language, and by the main "python" executable >> - the Python standard library >> ``` >> >> On the other hand, rpm -K print 'md5 OK' on this rpm. >> >> ``` >> $ rpm -K >> /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.c >> entos.x86_64.rpm >> /var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: >> sha1 md5 OK >> ``` >> >> Best regards, >> Hiroaki Nakamura >> >> >> 2015-12-23 23:30 GMT+09:00 Hiroaki Nakamura <[email protected]>: >>> Hi, >>> >>> 2015-12-23 18:14 GMT+09:00 Patrick Uiterwijk <[email protected]>: >>>> Hi, >>>> >>>> The latest build of your package is correctly signed: >>>> hn-python2-python-test-2.7.11-3.el7.centos.x86_64.rpm: RSA sha1 ((MD5) >>>> PGP) md5 NOT OK (MISSING KEYS: (MD5) PGP#1256a871) >>> >>> Thanks for pointing me out. >>> >>> I installed gpg keys manually with the following commands. >>> >>> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >>> https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg >>> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >>> https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg >>> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >>> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >>> >>> And I confirmed python-libs rpm is signed. >>> >>> $ rpm -K hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm >>> hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: rsa sha1 (md5) pgp >>> md5 OK >>> >>> However I still got the 'is not signed' error with yum install. >>> >>> $ sudo yum install -y -v hn-python2-python >>> Loading "fastestmirror" plugin >>> Config time: 0.008 >>> Yum version: 3.4.3 >>> ...(snip)... >>> Package hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm is not signed >>> $ echo $? >>> 1 >>> >>> I editted my *.repo files to use file:/// url for gpgkey instead of >>> https:// urls, still no luck. >>> >>> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2.repo >>> [hnakamur-hnscl-python2] >>> name=Copr repo for hnscl-python2 owned by hnakamur >>> baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/epel-7-$basearch/ >>> skip_if_unavailable=True >>> gpgcheck=1 >>> #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg >>> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg >>> enabled=1 >>> enabled_metadata=1 >>> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2-python.repo >>> [hnakamur-hnscl-python2-python] >>> name=Copr repo for hnscl-python2-python owned by hnakamur >>> baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/epel-7-$basearch/ >>> skip_if_unavailable=True >>> gpgcheck=1 >>> #gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg >>> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg >>> enabled=1 >>> enabled_metadata=1 >>> >>> As a workaround, I confirmed I can install my rpms with yum --nogpgcheck >>> option. >>> >>> $ sudo yum install -y --nogpgcheck hn-python2-python >>> >>> However I'd like to install rpm without --nogpgcheck option. >>> Could you give some advice? >>> >>> Best regards, >>> Hiroaki Nakamura >>> >>> >>>> >>>> Please note that the very first build in a COPR is not always signed due >>>> to a bug (or at least, used to be), but any further builds should be >>>> signed. >>>> >>>> With kind regards, >>>> Patrick Uiterwijk >>>> Fedora Infra >>>> >>>> ----- Original Message ----- >>>>> Hello. >>>>> >>>>> How to make sure rpms to be signed on copr? >>>>> >>>>> I tried to build my Python2 rpm. It was built successfully but is was >>>>> not signed. >>>>> https://copr.fedoraproject.org/coprs/hnakamur/hnscl-python2-python/ >>>>> >>>>> I built other rpms and they are signed. >>>>> https://copr.fedoraproject.org/coprs/hnakamur/varnish-head/ >>>>> https://copr.fedoraproject.org/coprs/hnakamur/libvmod-header/ >>>>> >>>>> I don't why my Python2 rpm was not signed. >>>>> I'd like to know the way to make sure rpms are signed on copr. >>>>> >>>>> >>>>> By the way, thanks for a great service like copr! >>>>> It is very useful! >>>>> >>>>> Best regards, >>>>> Hioraki Nakamura >>>>> _______________________________________________ >>>>> copr-devel mailing list >>>>> [email protected] >>>>> https://lists.fedorahosted.org/admin/lists/[email protected] >>>>> >>>> _______________________________________________ >>>> copr-devel mailing list >>>> [email protected] >>>> https://lists.fedorahosted.org/admin/lists/[email protected] >>> >>> >>> >>> -- >>> Hioraki Nakamura )[email protected]) >> >> >> >> -- >> Hioraki Nakamura )[email protected]) > > > > -- > Hioraki Nakamura )[email protected]) -- Hioraki Nakamura )[email protected]) _______________________________________________ copr-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
