Accepting request 213302 from home:msmeissn:branches:Base:System

- Merged over logic from openSUSE-build-key. - Got rid of default importing into roots keyring. - Removed some old keys. - Clarify that security@suse.de is a email only key - PTF key is supplied also as %doc, to not be default imported. - Keys currently inside: - pub 2048R/39DB7C82 SuSE Package Signing Key <build@suse.de> - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de> - pub 1024D/B37B98A9 SUSE PTF Signing Key <support@suse.com> - pub 2048R/3D25D3D9 SuSE Security Team <security@suse.de> OBS-URL: https://build.opensuse.org/request/show/213302 OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=9
2014-01-09 13:49:26 +00:00 · 2014-01-09 13:49:26 +00:00 · 4f52763dd1
commit 4f52763dd1
parent 8016e44ace
8 changed files with 154 additions and 90 deletions
--- a/.gitattributes
+++ b/.gitattributes
@ -21,5 +21,3 @@
 *.xz filter=lfs diff=lfs merge=lfs -text
 *.zip filter=lfs diff=lfs merge=lfs -text
 *.zst filter=lfs diff=lfs merge=lfs -text
-## Specific LFS patterns
-suse-build-key.gpg filter=lfs diff=lfs merge=lfs -text
--- a/gpg-pubkey-39db7c82-510a966b.asc
+++ b/gpg-pubkey-39db7c82-510a966b.asc
@ -0,0 +1,21 @@
+70AF9E8139DB7C82 SuSE Package Signing Key <build@suse.de>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
+YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
+91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
+hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
+vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
+L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
+aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYFAlEKlmsCGwMFCQeE
+zgAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBwr56BOdt8gomGCAC13Pi60I6O
+8GJ03BQrmVyyJrDcwJxxqw0HmIENf3rDLMYTBuduM3mNm5Fy2Gl2IuWD9mHvckQs
+0xa+A7mAwHXhIXWFCrZWyRH16w93BzjjLGiMMKimE8mg4XcaRL1FJhxGqq7FpLga
+XpQofkw0yFcavuubETpDR3w4qiRVsNKq4RM00pMCpTpJDWamFJm/oOUmBE45Q071
+v9C4oQHPsBNK/yMtlRssel815Xx4lbJIpKAg4BRtyBHWCzH/gVRGhYA8xDs/DEvu
+Z9mswBdniP+K1XSkr+NtxFvtkAy/C2Q2qk3sqpCMOt3MDGTyBgqIoplE/4XRCis9
+d7b1v1zv4/hN
+=sQXd
+-----END PGP PUBLIC KEY BLOCK-----
--- a/gpg-pubkey-50a3dd1c-50f35137.asc
+++ b/gpg-pubkey-50a3dd1c-50f35137.asc
@ -0,0 +1,21 @@
+5EAF444450A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQENBFDzUTcBCADQ3p9ch1aR6cBqL+O7UNO+zFNTI5WxLf4tegWP8uuxK5tJTgXO
+tjnwWmWIaijO6yfCtlBu8hD2Zp9sMenDY42yM5/uII0RpszqzqwwK5onnjGcSkWZ
+8jAAn+mtLIJvCLCwTqwEM4mTdTZROtCnttHXZr4GFrqpeAh+SKEWIoMF66N1FSb6
+S0evzYw3ryjbFY0pial9/hqqnsTWCNHzE1Up7qdNIPxDV8UGyUzm70/xMMjJSIkB
+aGpRdhILfZgyH6Ajhm7VCPPzW/BO30RSjHDnyo3hR39jE+KxvdgqTz+AthK5z+p2
+mwQ+ohTAo4dGb0lyZYFpXD7ucEl9w1ygzUe/ABEBAAG0NlN1U0UgUGFja2FnZSBT
+aWduaW5nIEtleSAocmVzZXJ2ZSBrZXkpIDxidWlsZEBzdXNlLmRlPokBPAQTAQIA
+JgUCUPNRNwIbAwUJB4TOAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEF6vRERQ
+o90cr+kH/RwB21ma7cQvZ1lHvgcOTuM7Ttqq6x7uuFFDXCIdmbDHv1ocQI5Z3VCb
+/7w+J8ZcBwNcr7i9Qsayu7umCILEOO8pNn/SlJVz6Kr6j6L8oAC3XHbXYrHacwMR
+y9jQPCDqP7WZduRgEW2VWnIoNp6p/DAj724EmfLzURwLG1QKiLnOLtpygzyquk3S
+gPGqgro+hCWX/VWgtBEKd33mgvwCBGjIe86VMvLCgtggyoBWDXYvsQMBO62fnk5w
+Btwum/m8VPhWhcrbUK60ZsHbdwfmsBOKxewf2vIuKUcqJnIYCfsuBgx9xUxiNlGR
+BVJIlG17h0jlRbEuuRez2397vU8Zw08=
+=SfX3
+-----END PGP PUBLIC KEY BLOCK-----
--- a/security_at_suse_de.asc
+++ b/security_at_suse_de.asc
@ -0,0 +1,28 @@
+77B2E6003D25D3D9 SuSE Security Team <security@suse.de>
+
+The block below contains the public key of the SUSE Security team.
+It's used to sign security advisories and other imporant
+announcents concerning the distribution. To be able to verify
+signatures made with that key you need to import this file into your
+keyring using the following command:
+
+gpg --import security_at_suse_de.asc
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.16 (GNU/Linux)
+
+mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
+BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
+JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
+1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
+P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
+cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
+VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
+WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
+hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
+BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
+AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
+RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
+zinsSx2OrWgvSiLEXXYK
+=m7kg
+-----END PGP PUBLIC KEY BLOCK-----
--- a/suse-build-key.changes
+++ b/suse-build-key.changes
@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Thu Jan  9 12:29:53 UTC 2014 - meissner@suse.com
+
+- Merged over logic from openSUSE-build-key.
+- Got rid of default importing into roots keyring.
+- Removed some old keys.
+- Clarify that security@suse.de is a email only key
+- PTF key is supplied also as %doc, to not be default
+  imported.
+- Keys currently inside:
+  - pub  2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
+  - pub  2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
+  - pub  1024D/B37B98A9 SUSE PTF Signing Key <support@suse.com>
+  - pub  2048R/3D25D3D9 SuSE Security Team <security@suse.de>
+
 -------------------------------------------------------------------
 Thu Jan 31 17:11:08 CET 2013 - ro@suse.de

--- a/suse-build-key.gpg
+++ b/suse-build-key.gpg
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:59c8d0592205de77964cbda7dbd3b9db9bfd343cbc347fa7756985f7a8a6b7cd
-size 6774
--- a/suse-build-key.spec
+++ b/suse-build-key.spec
@ -1,7 +1,7 @@
 #
 # spec file for package suse-build-key
 #
-# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -24,106 +24,64 @@ AutoReqProv:    off
 Summary:        The public gpg key for rpm package signature verification
 License:        GPL-2.0+
 Group:          System/Packages
-Version:        1.0
-Release:        907.<RELEASE42>
-Source0:        suse-build-key.gpg
-Source1:        dumpsigs
+Version:        12.0
+Release:        0
+# pub  2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
+# The main package signing key.
+Source0:        gpg-pubkey-39db7c82-510a966b.asc
+# pub  2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
+# Fallback key if main key gets lost.
+Source1:        gpg-pubkey-50a3dd1c-50f35137.asc
+
+# pub  1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
+# SUSE supplied PTF (program temporary fixes) are signed by this key.
+# supplied to be not imported by default
+Source98:       suse_ptf_key.asc
+
+# pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
+# security@suse.de communication key.
+# Only used for E-Mail encryption and signing to/from security@suse.de.
+Source99:       security_at_suse_de.asc
+
+Source100:      dumpsigs
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
-%define pubring  usr/lib/rpm/gnupg/pubring.gpg
-%define susering usr/lib/rpm/gnupg/suse-build-key.gpg
+%define keydir  %{_prefix}/lib/rpm/gnupg/keys
 PreReq:         sh-utils gpg fileutils mktemp

 %description
-This package contains the gpg key that is used to sign official SuSE
-rpm packages. It will be installed as a keyring in
-/usr/lib/rpm/gnupg/pubring.gpg. Administrators who wish to add their
-own keys to verify against should use the following commandline command
-to add the key to the keyring as used by RPM:
-
-gpg --no-options --no-default-keyring \ --keyring
-/usr/lib/rpm/gnupg/pubring.gpg --import
+This package contains the gpg keys that are used to sign the
+SUSE rpm packages. The keys installed here are not actually
+used by anything. rpm/zypper use the keys in the rpm db instead.



 %prep
-rm -f foobarnosuchfileordirectory
-#%setup
+%setup -qcT

 %build
+cp %SOURCE98 .
+cp %SOURCE99 .

 %install
 rm -rf $RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
-install %{SOURCE0} $RPM_BUILD_ROOT/%{susering}
-install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
-mkdir keys
-cd keys
-$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering}
-cd ..
-cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
-
-touch $RPM_BUILD_ROOT/%{pubring}
-touch $RPM_BUILD_ROOT/%{pubring}~
+mkdir -p $RPM_BUILD_ROOT%{keydir}
+for i in %sources; do
+    case "$i" in
+        */gpg-pubkey-*.asc)
+        install -m 644 "$i" $RPM_BUILD_ROOT%{keydir}
+        ;;
+    esac
+done
+install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg

 %files
 %defattr(644,root,root)
-%attr(755,root,root) %dir /usr/lib/rpm/gnupg
-%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs
-/usr/lib/rpm/gnupg/keys
-%config /%{susering}
-%ghost /%{pubring}
-%ghost /%{pubring}~
-
-%post
-if [ ! -f %{pubring} ]; then
-    touch %{pubring}
-fi
-echo -n "importing SuSE build key to rpm keyring... "
-TF=`mktemp /tmp/gpg.XXXXXX`
-if [ -z "$TF" ]; then
-  echo "suse-build-key::post: cannot make temporary file. Fatal error."
-  exit 20
-fi
-if [ -z "$HOME" ]; then
-  HOME=/root
-  export HOME
-fi
-if [ ! -d "$HOME" ]; then
-  mkdir "$HOME"
-fi
-gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
-# no kidding... gpg won't initialize correctly without being called twice.
-gpg < /dev/null > /dev/null 2>&1 || true
-gpg < /dev/null > /dev/null 2>&1 || true
-gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
-         --keyring %{susering}    --export -a > $TF 
-a="$?"
-gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
-         --keyring %{pubring}   --import < $TF
-b="$?"
-rm -f "$TF"
-if [ "$a" = 0 -a "$b" = 0 ]; then
-    echo "done."
-else
-    echo "importing the key from the file %{susering}"
-    echo "returned an error. This should not happen. It may not be possible"
-    echo "to properly verify the authenticity of rpm packages from SuSE sources."
-    echo "The keyring containing the SuSE rpm package signing key can be found"
-    echo "in the root directory of the first CD (DVD) of your SuSE product."
-    exit -1
-fi
-### import suse package build key to roots gpg keyring
-if test -f root/.gnupg/pubring.gpg ; then
-   chroot . usr/bin/gpg --export --armor --no-default-keyring \
-                   --keyring %{susering} build@suse.de \
-        | chroot . usr/bin/gpg --import || true
-   if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then
-      echo "gpg import for build@suse.de failed, please import manually" >&2
-   fi
-else
-   cp %{susering} root/.gnupg/pubring.gpg
-fi
-chmod 600 root/.gnupg/pubring.gpg
+%doc security_at_suse_de.asc suse_ptf_key.asc
+%attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg
+%attr(755,root,root) %dir %{keydir}
+%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs
+%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc
+%{keydir}/gpg-pubkey-39db7c82-510a966b.asc

 %changelog
--- a/suse_ptf_key.asc
+++ b/suse_ptf_key.asc
@ -0,0 +1,26 @@
+6C74CE73B37B98A9 SUSE PTF Signing Key <support@suse.com>
+
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.19 (GNU/Linux)
+
+mQGiBEKCDxcRBAC8XEA/xoFsF6c9QHU0aA3JBCQC3Jhpdv1+YzZOHDaSUziQ2ZL8
+12pt5oMg7qE0i5j0+zwL/0TUi4W8tar86a9gxRHzWgSkTiz4H2MvXSy5Qrnu1+Ho
+MCAWMEL4s2JftKVu0XFRuT4nNHVi80JZxRzmF2EBLvtz7jrRHT/N/5A4FwCg+PE1
+wR2NC89ux+VfxoR8UzQu4wUD/2ZBslJyLYE6rpUFYHceSK3gOlPSIlCn3OYlVDY3
+AgYsqYH5gEOHxQeqigukk+tffyHIr5wdzTgTrPeL7v+TpgVHuRRuw7Dl9oi1PyoW
+/PzNPjNSlXQCLUocY/ctCjre+WxjiewDPqmYVYS8Ie2DZMTFJ4w27mazfTJYgcPl
+mmwqA/oDFSaXdRl0csqWi6XvjbUJKSVlDc8IuulB1IRLNk94+xKoDtC2xxp8zEVB
+xBqmbT6pM1k3+KVzGL7oSHl4uMqzOkbRfKgKL/6ahJnLAGJPfPdFeIyGmvWDG915
+TE8oMesJq/MSaohxdJ6dywkhjd19Cbdts02scIfSu5yzMXHCm7QnU1VTRSBQVEYg
+U2lnbmluZyBLZXkgPHN1cHBvcnRAc3VzZS5jb20+iGIEExECACICGwMECwcDAgMV
+AgMDFgIBAh4BAheABQJL4BoaBQkQ4tkDAAoJEGx0znOze5ipiDoAn0YH3g6kFZfO
+BcxASwMft1iuWVT5AKCQFQ1deyNwXvo+eCH/dGpt5nj1d7kBDQRCgg8ZEAQAkwPg
+vF3r+7NNqgJyiW4w5yGXgu5H4Kmd9wXAT6sUOPU+4GRJJep0dUxHgdis2BboBDlO
+YVWE061pua8Ut6mA5Rx0/KOCeTL3SJtXMcknop/4fSLfnPN0/bsbALAN7RtmEJnV
+QXba7C/jY04J2p0wtWfF9Zh2/O0EaPmiVjkakHMAAwUD/0T/fMgYwD1ROk1aB7KW
+0bcro2hYfXCPTZtpZI6qfRbwKr8SQ6wSSWRi+p1hrtY6SBSNqw3mW4K42bPewanI
+KdGc9mDt2ecQK5TAScL6VKwPvR0LK5GXJsYZjm1/uf4dWAfoy5T8jqObjL+uavtd
+RKcJVbquhZwMeAeOqiPaCFMliEwEGBECAAwFAkvgGiYFCRDi2Q0ACgkQbHTOc7N7
+mKndUgCfUmb1pAbgOJ3axZbe9HSwAb/BxlEAoKriKwSDH8XsRPQSp493OfB5UDpP
+=GBuj
+-----END PGP PUBLIC KEY BLOCK-----