Bug 122564

Summary: keys from suse-build-keys not imported
Product: [openSUSE] SUSE LINUX 10.0 Reporter: Mark Gordon <mtgordon>
Component: BasesystemAssignee: Harald Mueller-Ney <hmuelle>
Status: RESOLVED WONTFIX QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: aj, hmuelle
Version: Final   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Mark Gordon 2005-10-10 20:09:18 UTC 
I'd been having problems installing updates from YOU servers.  Eventually I
figured out that some of my machines didn't have the keys from the
suse-build-keys package imported (based on "rpm -qa gpg-pubkey*", which
generated no output).  YOU was failing to recognize the signature and reporting
failure.  The "gpg ... -import" line in the postinstall evidently isn't doing
anything; I eventually got things to work by extracting specific keys from that
keyring and importing them with "rpm --import".  After that, YOU updates started
working.

I never saw this problem on machines for which I'd installed from media; I only
had this problem with machines where I'd done a PXE-based network install.  Is
there some installer code that imports these keys, independent of the
postinstall from the suse-build-keys package itself?

The relevant portion of my YaST logs, from the original install of
suse-build-keys, is presumably the following:

2005-09-14 16:48:07 suse-build-key-1.0-668.noarch.rpm installed ok
Additional rpm output:
importing SuSE build key to rpm keyring... gpg: no ultimately trusted keys found
done.

The gpg spewage is from the invocation with --import.

I still have a test machine with this problem in the event that more details are
needed, but it should be trivial to reproduce:

# rpm -e gpg-pubkey-9c800aca-40d8063e
# rpm -e --nodeps suse-build-key
# rpm -Uvh suse-build-key.rpm
# rpm -qa gpg-pubkey*

Depending on your installation method, step 4 alone may be insufficient to
reproduce the problem.
Comment 1 Anja Stock 2005-10-28 11:06:29 UTC 
Adding some people to CC.

Michael, can you lend us a hand here?
I think you had a similar problem solved mentioned on "research".
Comment 2 Michael Andres 2005-10-28 12:09:44 UTC 
Seems to be a duplicte of bug #130579.

- The packagemenager collects gpg-pubkey-* located in the root directory of an installation source. This is done at the time the source is created.

- Before any package installation, collected gpg-pubkey-* are checked and installed in the rpm database if missing.

Bug #130579 seems to indicate a problem with installation via network, at least via HTTP/FTP. The packagemanager does not see the original media. It's YaSTs YCP code which downloads the source metadata into the ramdisk. The packagemanager is  then setup to use the ramdisk copy. 

To me it looks like the YCP code sometimes fails to copy the gpg-pubkey-* into the ramdisk. 

Without the keys installed, YOU can't check the signature of packages. 

(The message from suse-build-key's post-install script is unrelated to this. 
Rpm does not use the keyring for signature checking.)

Wokraround: 
- Get the gpg-pubkey-* files from the original media, and copy them into /var/adm/YaST/InstSrcManager/gpg-pubkey/. 
- Then call 'rpm --import <names of missing keyfiles>', 
or 'yast2 sw_single' and install at least one package.
Comment 4 Anja Stock 2006-06-13 10:55:38 UTC 
resolved - later - tracked by harald
Comment 5 Stephan Kulow 2008-06-25 09:33:50 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 6 Stephan Kulow 2008-06-25 09:35:27 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 7 Stephan Kulow 2008-06-25 09:41:26 UTC 
mass reopening all SuSE Linux bugs that are set to REMIND+LATER to change the resolution to WONTFIX (adapting to new policy)
Comment 8 Stephan Kulow 2008-06-25 09:52:56 UTC 
Closing old LATER+REMIND bugs as WONTFIX - if you still plan to work on it, feel free to reopen and set to ASSIGNED.

In case the report saw repeated reopen comments, it's due to bugzilla timing out on the huge request ;(