Hi, I have planned outage for copr-keygen on Tuesday. It did not went well, so here is post-mortem for those interested in.
Copr-keygen machine was Fedora 21 so we wanted to upgrade it to some supported version of Fedora. I did the upgrade of dev machine and it went well so I moved to production machine. Well, after upgrade of production machine to Fedora 23 it did not worked. I was getting error: files-are-digests doesn't work with v4 sigs I compared the dev and producton machines, but they were identical. I even tried downgrade to Fedora 22 (which is still supported), but it did not worked too. So I had to dive into source code. Code of copr-keygen, obs-signd and finally gnupg2 where I find that option --force-v3-sigs is (since gnupg 2.1) silently ignored. I took gnupg2 from Fedora21 (latest with 2.0.x version of gnupg), rebuilt it for Fedora 22 and tried. Fortunately it worked. I put gnupg2 to protected packages on copr-keygen so the situation is stabilized for now. I notified obs guys about this situation, but I'm afraid that they still use gnupg 2.0.x so we are first who hit this problem. In the mean time if you are running your own instance of Copr (I'm looking at you Pavel) be careful when upgrading keygen machine. We need to solve it somehow in the near future. The options are backport --force-v3-sigs into gnupg2 (unlikely) or add support for v4 into obs-sign. BTW why it worked on dev machine? I'm still not 100% sure, but I suspect the data. Dev machine is always completly wiped, including old keys. While old keys are preserved on production machine. -- Miroslav Suchy, RHCA Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys _______________________________________________ copr-devel mailing list [email protected] https://lists.fedorahosted.org/admin/lists/[email protected]
