On 2012-03-08 09:10:40 (+0100), Ludwig Nussel <[email protected]> wrote: > Pascal Bleser wrote: > > On 2012-03-06 16:03:01 (+0100), Ludwig Nussel <[email protected]> wrote: > >> Ismail Dönmez wrote: > >>> Just use osc build --no-verify
> >> Well, that's a workaround but not the solution. > >> osc just fetches the _pubkey of every involved project. Looks like > >> pmbs doesn't return the key used for top level projects. That needs to > >> be fixed at server side. > > Like.. how? Is it an OBS bug? > > If it isn't, I don't even know where to start looking, we didn't > > patch anything on the key serving. > Your build service instance likely signs packages with the default key. > According to Adrian this is considered a misconfiguration. Each project > is supposed to have it's own key. In fact when creating a new project > obs generates a key automatically. As Admin you can copy the same key > into multiple projects though. > So just copy the public key of your signing key as '_pubkey' file into > the project directories on the server. We did create the projects (obviously), but I suppose that older OBS versions didn't create those per-project keys then. Indeed, our toplevel projects (Essentials, Multimedia, Games, Extra) do _not_ have a _pubkey file in projects/*/ Any idea where the default key is stored? On a side note, we actually do recrypt the packages before they are published on the Packman FTP tree. We verify the key they have been signed with in OBS, then unsign them, then sign them again with an RSA 4096, and then they are pushed to the tree. Reason is that the RSA 4096 is kept on a strongly secured host with selinux etc... cheers -- -o) Pascal Bleser /\\ http://opensuse.org -- we haz green _\_v http://fosdem.org -- we haz conf
pgpOnpcuvFImn.pgp
Description: PGP signature
_______________________________________________ Packman mailing list [email protected] http://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
