Bugzilla – Bug 1222916
Leap Micro 6.0 - used signing keys 09d9ea69: NOKEY
Last modified: 2024-06-21 15:42:34 UTC
Leap Micro 6.0 Appliances have some warnings regarding rpms signed with Signature, key ID 09d9ea69: NOKEY https://build.opensuse.org/package/live_build_log/openSUSE:Leap:Micro:6.0:Images/Leap-Micro:Default/images/aarch64 [ 190s] [ DEBUG ]: 21:27:33 | system: (683/736) Installing: patterns-alp-selinux-6.0-13.1.aarch64 [. [ 190s] [ INFO ]: Processing: [############################### ] 78%[ DEBUG ]: 21:27:33 | system: warning: /var/cache/kiwi/packages/0a1d79baab8f4f8eb6f19415c579a403/patterns-alp-selinux.rpm: Header V3 RSA/SHA256 Signature, key ID 09d9ea69: NOKEY I suppose this is official "safe-to-use" ALP build key, correct? I suppose we should to add relevant gpg-keys to our openSUSE-build-key Package or install existing ALP-build-key package somewhere on the side I also noticed that Leap Micro 6.0 is set up with 2k key and it should probably be 4k. https://build.opensuse.org/projects/openSUSE:Leap:Micro:6.0/signing_keys
I've copypaced last week's openSUSE-build-key from Factory which has ALP key. I did make a request for autobuild to switch signing key to 4k one.
Hi Lubos, it seems you already started to fix the issues, so I assign it to you, please feel free to reassign whenever necessary, thanks.
Resolved by using the recent openSUSE-build-key. I ensured that keys are imported in all of our appliances/images incuding toolbox.
There will be a bit of a problem for upgrade from 5.5, as we technically don't have any update channel for openSUSE packages, only for SLES ones and the key is attached in the openSUSE-build-key from Micro 6.0. You could do zypper --releasever 6.0 openSUSE-build-key followed by for i in /usr/lib/rpm/gnupg/keys/gpg-pubkey*asc; do rpm --import $i || true done Similarly how we do it e.g. for toolbox https://build.opensuse.org/projects/openSUSE:Leap:Micro:6.0/packages/opensuse-toolbox-image/files/config.sh?expand=1