Bugzilla – Bug 383544
build@suse.de keys expire soon
Last modified: 2008-07-04 12:13:15 UTC
(not sure about the component, please reassign if needed) While testing the new GPG public key management in YaST packagemanager, I noticed that there are two build@suse.de keys that both expire soon (in about a month). Key: A84EDAE89C800ACA Name: SuSE Package Signing Key <build@suse.de> Finger Print: 79C179B2E1C820C1890F9994A84EDAE89C800ACA Created: 09.10.2000 Expires: 01.06.2008 Key: E3A5C360307E3D54 Name: SuSE Package Signing Key <build@suse.de> Finger Print: 4E98E67519D98DC7362A5990E3A5C360307E3D54 Created: 01.03.2006 Expires: 01.06.2008 I don't know how YaST/zypp handles expired keys, but I propose to change the expiration date before all users find out ;-) Note: I always install new openSUSE versions as updates, so I'm not sure if the keys are really expiring soon or if the update doesn't update the keys. BTW: Why do two different build@suse.de keys exist?
Rudi?
swampid: 17520
SLES10-SP2 and STABLE/FACTORY are done. the two different keys are rsa and dsa keys. We wanted to switch to using the newer one for 110.0 already but it will probably be 11.1 till that happens.
all packages submitted, patchinfos in the queue now. closing.
While testing the related maintenance update YOU Patch No: 12156 ZYPP Patch No: 5231 MD5 sum: 72d3908e250b3900c4aaa08b17ca64b3 SUBSWAMPID: 17522 packages: suse-build-key I came across three issues I would like to bring up: 1) The keyring of user root traditionally held all the keys that are in /usr/lib/rpm/gnupg/pubring.gpg (which is part of suse-build-key). Starting with this update, the keyring of user root is not updated anymore. I don't know if there are any issues with this on sle10 or code9, but this is definitely an issue for sles8 (see point 3). Maybe we should just add the keys to the keyring of user root to be save. 2) The rpm keyring on sles8 has a PTF signing key pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com> sub 1024g/6647760C 2005-05-11 [expires: 2008-06-30] which was not updated by this maintenance update. Are we planning for a separate update ? Do we need this key in the future at all ? 3) The trustdb of the keyring was not updated during application of the patch. As a consequence, the you client on sles8 fails to download the patch list on the first start and throws an error as shown in the attached screen shot. If start the you client a second time, gpg seems to have self-healed himself by automatically updating the trustdb and then yast2 works as expected. This look exactly like https://bugzilla.novell.com/show_bug.cgi?id=103796#c35 from two years ago. What is interesting in this context is that it was the trustdb of the keyring of user root that has been updated self-healed. /usr/lib/rpm/gnupg/trustdb.gpg just stayed the same (last mod time Aug 5 2004 on my ref host). This is some evindence that we need to do 1)
Created attachment 215053 [details] screen shot of yast2 online_update experiencing a trustdb error
See Rudi's bug #393160 for the consequences
packages released now, after we found out that libzypp / repo extension is unrelated and fixed differently.
-> fixed