Bug 1222916

Summary: Leap Micro 6.0 - used signing keys 09d9ea69: NOKEY
Product: [openSUSE] openSUSE Leap Micro Reporter: Lubos Kocman <lubos.kocman>
Component: BaseAssignee: Lubos Kocman <lubos.kocman>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Major    
Priority: P5 - None    
Version: 6.0   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Lubos Kocman 2024-04-16 21:26:27 UTC 
Leap Micro 6.0 Appliances have some warnings regarding rpms signed with Signature, key ID 09d9ea69: NOKEY
https://build.opensuse.org/package/live_build_log/openSUSE:Leap:Micro:6.0:Images/Leap-Micro:Default/images/aarch64

[  190s] [ DEBUG   ]: 21:27:33 | system: (683/736) Installing: patterns-alp-selinux-6.0-13.1.aarch64 [.
[  190s] [ INFO    ]: Processing: [###############################         ] 78%[ DEBUG   ]: 21:27:33 | system: warning: /var/cache/kiwi/packages/0a1d79baab8f4f8eb6f19415c579a403/patterns-alp-selinux.rpm: Header V3 RSA/SHA256 Signature, key ID 09d9ea69: NOKEY

I suppose this is official "safe-to-use" ALP build key, correct? I suppose we should to add relevant gpg-keys to our openSUSE-build-key Package or install existing ALP-build-key package somewhere on the side

I also noticed that Leap Micro 6.0 is set up with 2k key and it should probably be 4k. https://build.opensuse.org/projects/openSUSE:Leap:Micro:6.0/signing_keys
Comment 2 Lubos Kocman 2024-04-18 14:23:09 UTC 
I've copypaced last week's openSUSE-build-key from Factory which has ALP key. 
I did make a request for autobuild to switch signing key to 4k one.
Comment 3 Chenzi Cao 2024-05-17 08:20:53 UTC 
Hi Lubos, it seems you already started to fix the issues, so I assign it to you, please feel free to reassign whenever necessary, thanks.
Comment 4 Lubos Kocman 2024-06-20 08:55:43 UTC 
Resolved by using the recent openSUSE-build-key. I ensured that keys are imported in all of our appliances/images incuding toolbox.
Comment 5 Lubos Kocman 2024-06-21 15:42:34 UTC 
There will be a bit of a problem for upgrade from 5.5, as we technically don't have any update channel for openSUSE packages, only for SLES ones and the key is attached in the openSUSE-build-key from Micro 6.0.

You could do zypper --releasever 6.0 openSUSE-build-key followed by
for i in /usr/lib/rpm/gnupg/keys/gpg-pubkey*asc; do rpm --import $i || true done

Similarly how we do it e.g. for toolbox https://build.opensuse.org/projects/openSUSE:Leap:Micro:6.0/packages/opensuse-toolbox-image/files/config.sh?expand=1