[packman] does packman have a new key or what is going on?
On Fri Oct 29 16:10:47 CEST 2021 Stefan Seyfried wrote: I did not suggest to report the bug upstream, but against Leap 15.3 Yes, I understood. But I still think that openSUSE devs will not be very eager to revert a change that makes rpm not conform to the cryptography spec just to make it work with a key for a repo that they do not approve of. ;-) I hope I'm wrong though. Here goes... https://bugzilla.opensuse.org/show_bug.cgi?id=1192168 ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
Re: [packman] does packman have a new key or what is going on?
On 29.10.21 15:34, S. wrote: On Fri Oct 29 08:28:36 CEST 2021 Stefan Seyfried wrote: probably rpm needs to be fixed to again accept keys that were totally fine before the update. So I'd suggest filing a bug against 15.3 rpm package. I very much agree with you that this appears to be an unnecessary problem caused by rpm. But I suspect that a bug report will lead to a response that it's working as designed: https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222 It is still a regression on Leap 15.3. I did not suggest to report the bug upstream, but against Leap 15.3 IF I encounter something like this at work, with my own OBS instance and SLES15-SP3, then you can rest assured that I'll try to make SUSE fix that ;-) I did not yet encounter any problems there, though. -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
[packman] does packman have a new key or what is going on?
On Fri Oct 29 08:28:36 CEST 2021 Stefan Seyfried wrote: probably rpm needs to be fixed to again accept keys that were totally fine before the update. So I'd suggest filing a bug against 15.3 rpm package. I very much agree with you that this appears to be an unnecessary problem caused by rpm. But I suspect that a bug report will lead to a response that it's working as designed: https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222 *Reject unimplemented critical PGP packets as per RFC-4880* Bit 7 of the subpacket type is the "critical" bit. If set, it denotes that the subpacket is one that is critical for the evaluator of the signature to recognize. If a subpacket is encountered that is marked critical but is unknown to the evaluating software, the evaluator SHOULD consider the signature to be in error. So it appears that the evaluating software (rpm) is obeying the spec and appropriately failing, whereas zypper isn't obeying it by virtue of being less strict. Especially given the hostility that so many openSUSE graybeards show toward Packman (and I can't find any other keys that rpm is rejecting in this way) I don't see openSUSE fixing this unfortunately. To me the easiest solution seems to be just creating a new key for Packman. Users will get a prompt, but that will be the end of the problem, and as it is they're already getting loads of errors about the problematic key as mentioned in this thread. It also appears that it's possible to somehow remove the "critical" bit from a specific location in the key, thus "repairing" it and allowing to keep using the same key. https://1password.community/discussion/comment/615922/#Comment_615922 Yesterday we published a fixed version of the PGP key that now works with the newer version of RPM. It's the same key, but we were able to remove the packets that RPM no longer supports. ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
Re: [packman] does packman have a new key or what is going on?
On 29.10.21 01:21, S. wrote: On Thu Oct 28 11:40:34 CEST 2021 Marcel Kühlhorn wrote: Interestingly, this only works with zypper, dnf and plain rpm fail to import the key I'm running into the same issue trying to build an image with Kiwi and manually importing the Packman key. I confirm that Zypper/YaST can import the key, but not the underlying rpm tool. Strangely, this issue actually appeared first when they updated the RPM version in Leap 15.3: https://lists.links2linux.de/pipermail/packman/2021-October/016849.html So Packman needs to somehow unset the "critical" bit from "Bit 7 of the subpacket type", according to this: https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222 That means nothing to me and it sounds difficult, but something needs to be done to fix this. probably rpm needs to be fixed to again accept keys that were totally fine before the update. So I'd suggest filing a bug against 15.3 rpm package. (I don't know much about key handling in RPM, so maybe the key is really broken and should not be used as-is, but then why is it acceptable to libzypp?) -- Stefan Seyfried "For a successful technology, reality must take precedence over public relations, for nature cannot be fooled." -- Richard Feynman ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
[packman] does packman have a new key or what is going on?
On Thu Oct 28 11:40:34 CEST 2021 Marcel Kühlhorn wrote: Interestingly, this only works with zypper, dnf and plain rpm fail to import the key I'm running into the same issue trying to build an image with Kiwi and manually importing the Packman key. I confirm that Zypper/YaST can import the key, but not the underlying rpm tool. Strangely, this issue actually appeared first when they updated the RPM version in Leap 15.3: https://lists.links2linux.de/pipermail/packman/2021-October/016849.html So Packman needs to somehow unset the "critical" bit from "Bit 7 of the subpacket type", according to this: https://github.com/rpm-software-management/rpm/commit/f22499a05d0a01e35dd10d7644f8d74391ba4222 That means nothing to me and it sounds difficult, but something needs to be done to fix this. ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
Re: [packman] does packman have a new key or what is going on?
On Thu, 2021-10-28 at 08:12 +0200, Simon Vogl wrote:
> I managed to solve this by listing all rpm keys with
>
> rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
>
> and then removing the packman key with
>
> sudo rpm -e gpg-pubkey-
>
> afterwards, I removed the Packman repo, re-added it and got a new key
> trust prompt.
> Once i accepted that, I could install packages from packman again
> without this key error showing up,
>
> e.g. force-reinstalling ffmpeg-4. It does seem to be a key issue of
> some
> sort to me, but maybe I'm wrong.
>
Interestingly, this only works with zypper, dnf and plain rpm fail to
import the key:
Importing GPG key 0x1ABD1AFB:
Userid : "PackMan Project (signing key) "
Fingerprint: F887 5B88 0D51 8B6B 8C53 0D13 45A1 D067 1ABD 1AFB
From :
https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/repodata/repomd.xml.key
Is this ok [y/N]: y
Key import failed (code 2). Failing package is:
autopano-sift-C-2.5.1-3.118.x86_64
GPG Keys are configured as:
https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/repodata/repomd.xml.key
Public key for avidemux3-qt5-2.7.8-3.33.x86_64.rpm is not installed. Failing
package is: avidemux3-qt5-2.7.8-3.33.x86_64
GPG Keys are configured as:
https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/repodata/repomd.xml.key
wget
https://ftp.gwdg.de/pub/linux/misc/packman/suse/openSUSE_Tumbleweed/repodata/repomd.xml.key
[…]
rpm --import repomd.xml.key
error: repomd.xml.key: key 1 import failed.
gpg --import-options show-only --import repomd.xml.key
gpg: key 45A1D0671ABD1AFB: 3 signatures not checked due to missing keys
pub rsa4096 2006-09-18 [SC] [expires: 2024-09-12]
F8875B880D518B6B8C530D1345A1D0671ABD1AFB
uid PackMan Project (signing key)
--
Have a lot of fun!
Marcel Kühlhorn
___
Packman mailing list
Packman@links2linux.de
https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
Re: [packman] does packman have a new key or what is going on?
Am 2021-10-28 08:12, schrieb Simon Vogl:
I managed to solve this by listing all rpm keys with
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
and then removing the packman key with
sudo rpm -e gpg-pubkey-
afterwards, I removed the Packman repo, re-added it and got a new key
trust prompt.
Once i accepted that, I could install packages from packman again
without this key error showing up,
That did it.
Without removing the packman repo:
"rpm -e gpg-pubkey-1abd1afb-54176598 && zypper cc --all && zypper ref"
also gets you a new trust prompt.
Cheers
MH
--
Mathias Homann
mathias.hom...@opensuse.org
telegram: https://telegram.me/lemmy98
irc: [lemmy] on freenode and ircnet
obs: lemmy04
gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
signature.asc
Description: OpenPGP digital signature
___
Packman mailing list
Packman@links2linux.de
https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
Re: [packman] does packman have a new key or what is going on?
I managed to solve this by listing all rpm keys with
rpm -q gpg-pubkey --qf '%{name}-%{version}-%{release} --> %{summary}\n'
and then removing the packman key with
sudo rpm -e gpg-pubkey-
afterwards, I removed the Packman repo, re-added it and got a new key
trust prompt.
Once i accepted that, I could install packages from packman again
without this key error showing up,
e.g. force-reinstalling ffmpeg-4. It does seem to be a key issue of some
sort to me, but maybe I'm wrong.
On 28/10/21 at 07:53 Mathias Homann wrote:
Am Mittwoch, 27. Oktober 2021, 19:56:05 CEST schrieb Mathias Homann:
Hi,
I just got a ton of updated packages from packman on tumbleweed 20211025 and
with every package zypper gave me a NOKEY warning but installed it all the
same...
now, when I run something like "rpm -Vvv vlc-codec-gstreamer" I see the same
NOKEY warning appear:
D: read h# 68693
Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY
Header SHA256 digest: OK
Header SHA1 digest: OK
D: read h# 68693
Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY
Header SHA256 digest: OK
Header SHA1 digest: OK
but that key is installed:
kumiko:~ # rpm -qa gpg-pubkey\*|grep 1abd1afb
gpg-pubkey-1abd1afb-54176598
More of the same on a different host:
(20/40) Installing: libx264-161-0.161+git20200912.d198931a-2.22.x86_64
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libx264-161-0.161+git20200912.d198931a-2.22.x86_64.rpm: Header V4 RSA/SHA1
Signature, key ID 1abd1afb: NOKEY
(21/40) Installing: libpipewire-0_3-0-0.3.38-3.4.x86_64
...
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libpipewire-0_3-0-0.3.38-3.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(22/40) Installing: libfdk-aac2-2.0.2-1.10.x86_64
.
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libfdk-aac2-2.0.2-1.10.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(23/40) Installing: libopencore-amrnb0-0.1.5-1.66.x86_64
..
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libopencore-amrnb0-0.1.5-1.66.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(24/40) Installing: libavutil55-3.4.9-1.3.x86_64
..
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libavutil55-3.4.9-1.3.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(25/40) Installing: pipewire-spa-tools-0.3.38-3.4.x86_64
..
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
pipewire-spa-tools-0.3.38-3.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(26/40) Installing: libopencore-amrwb0-0.1.5-1.66.x86_64
..
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libopencore-amrwb0-0.1.5-1.66.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(27/40) Installing: libopenaptx0-0.2.0-10.11.x86_64
...
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libopenaptx0-0.2.0-10.11.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(28/40) Installing: libvo-amrwbenc0-0.1.3-1.55.x86_64
.
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libvo-amrwbenc0-0.1.3-1.55.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(29/40) Installing: libavutil56_70-4.4-9.4.x86_64
.
[done]
Additional rpm output:
warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/
libavutil56_70-4.4-9.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID
1abd1afb: NOKEY
(30/40) Installing: libx265-199-3.5-2.19.x86_64
Re: [packman] does packman have a new key or what is going on?
Am Mittwoch, 27. Oktober 2021, 19:56:05 CEST schrieb Mathias Homann: > Hi, > > I just got a ton of updated packages from packman on tumbleweed 20211025 and > with every package zypper gave me a NOKEY warning but installed it all the > same... > > now, when I run something like "rpm -Vvv vlc-codec-gstreamer" I see the same > NOKEY warning appear: > D: read h# 68693 > Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY > Header SHA256 digest: OK > Header SHA1 digest: OK > D: read h# 68693 > Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY > Header SHA256 digest: OK > Header SHA1 digest: OK > > but that key is installed: > kumiko:~ # rpm -qa gpg-pubkey\*|grep 1abd1afb > gpg-pubkey-1abd1afb-54176598 More of the same on a different host: (20/40) Installing: libx264-161-0.161+git20200912.d198931a-2.22.x86_64 [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libx264-161-0.161+git20200912.d198931a-2.22.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (21/40) Installing: libpipewire-0_3-0-0.3.38-3.4.x86_64 ... [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libpipewire-0_3-0-0.3.38-3.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (22/40) Installing: libfdk-aac2-2.0.2-1.10.x86_64 . [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libfdk-aac2-2.0.2-1.10.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (23/40) Installing: libopencore-amrnb0-0.1.5-1.66.x86_64 .. [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libopencore-amrnb0-0.1.5-1.66.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (24/40) Installing: libavutil55-3.4.9-1.3.x86_64 .. [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libavutil55-3.4.9-1.3.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (25/40) Installing: pipewire-spa-tools-0.3.38-3.4.x86_64 .. [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ pipewire-spa-tools-0.3.38-3.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (26/40) Installing: libopencore-amrwb0-0.1.5-1.66.x86_64 .. [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libopencore-amrwb0-0.1.5-1.66.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (27/40) Installing: libopenaptx0-0.2.0-10.11.x86_64 ... [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libopenaptx0-0.2.0-10.11.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (28/40) Installing: libvo-amrwbenc0-0.1.3-1.55.x86_64 . [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libvo-amrwbenc0-0.1.3-1.55.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (29/40) Installing: libavutil56_70-4.4-9.4.x86_64 . [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libavutil56_70-4.4-9.4.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (30/40) Installing: libx265-199-3.5-2.19.x86_64 ... [done] Additional rpm output: warning: /var/cache/zypp/packages/packman.gwdg.de-suse/Essentials/x86_64/ libx265-199-3.5-2.19.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY (31/40) Installing: libxvidcore4-1.3.7-1.27.x86_64 [done] Additional rpm output: warning:
[packman] does packman have a new key or what is going on?
Hi, I just got a ton of updated packages from packman on tumbleweed 20211025 and with every package zypper gave me a NOKEY warning but installed it all the same... now, when I run something like "rpm -Vvv vlc-codec-gstreamer" I see the same NOKEY warning appear: D: read h# 68693 Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK D: read h# 68693 Header V4 RSA/SHA1 Signature, key ID 1abd1afb: NOKEY Header SHA256 digest: OK Header SHA1 digest: OK but that key is installed: kumiko:~ # rpm -qa gpg-pubkey\*|grep 1abd1afb gpg-pubkey-1abd1afb-54176598 what is going on? Cheers MH -- Mathias Homann mathias.hom...@opensuse.org Jabber (XMPP): le...@tuxonline.tech IRC: [Lemmy] on freenode and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102 signature.asc Description: This is a digitally signed message part. ___ Packman mailing list Packman@links2linux.de https://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
