From 4f52763dd17139ebc75c4052adc35061459352e56539c9783dffa2a0ff13d302 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Thu, 9 Jan 2014 13:49:26 +0000 Subject: [PATCH] Accepting request 213302 from home:msmeissn:branches:Base:System - Merged over logic from openSUSE-build-key. - Got rid of default importing into roots keyring. - Removed some old keys. - Clarify that security@suse.de is a email only key - PTF key is supplied also as %doc, to not be default imported. - Keys currently inside: - pub 2048R/39DB7C82 SuSE Package Signing Key - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) - pub 1024D/B37B98A9 SUSE PTF Signing Key - pub 2048R/3D25D3D9 SuSE Security Team OBS-URL: https://build.opensuse.org/request/show/213302 OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=9 --- .gitattributes | 2 - gpg-pubkey-39db7c82-510a966b.asc | 21 +++++ gpg-pubkey-50a3dd1c-50f35137.asc | 21 +++++ security_at_suse_de.asc | 28 +++++++ suse-build-key.changes | 15 ++++ suse-build-key.gpg | 3 - suse-build-key.spec | 128 +++++++++++-------------------- suse_ptf_key.asc | 26 +++++++ 8 files changed, 154 insertions(+), 90 deletions(-) create mode 100644 gpg-pubkey-39db7c82-510a966b.asc create mode 100644 gpg-pubkey-50a3dd1c-50f35137.asc create mode 100644 security_at_suse_de.asc delete mode 100644 suse-build-key.gpg create mode 100644 suse_ptf_key.asc diff --git a/.gitattributes b/.gitattributes index 0b5e0d2..9b03811 100644 --- a/.gitattributes +++ b/.gitattributes @@ -21,5 +21,3 @@ *.xz filter=lfs diff=lfs merge=lfs -text *.zip filter=lfs diff=lfs merge=lfs -text *.zst filter=lfs diff=lfs merge=lfs -text -## Specific LFS patterns -suse-build-key.gpg filter=lfs diff=lfs merge=lfs -text diff --git a/gpg-pubkey-39db7c82-510a966b.asc b/gpg-pubkey-39db7c82-510a966b.asc new file mode 100644 index 0000000..4f30022 --- /dev/null +++ b/gpg-pubkey-39db7c82-510a966b.asc @@ -0,0 +1,21 @@ +70AF9E8139DB7C82 SuSE Package Signing Key + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp +YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY +91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma +hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9 +vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8 +L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT +aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYFAlEKlmsCGwMFCQeE +zgAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBwr56BOdt8gomGCAC13Pi60I6O +8GJ03BQrmVyyJrDcwJxxqw0HmIENf3rDLMYTBuduM3mNm5Fy2Gl2IuWD9mHvckQs +0xa+A7mAwHXhIXWFCrZWyRH16w93BzjjLGiMMKimE8mg4XcaRL1FJhxGqq7FpLga +XpQofkw0yFcavuubETpDR3w4qiRVsNKq4RM00pMCpTpJDWamFJm/oOUmBE45Q071 +v9C4oQHPsBNK/yMtlRssel815Xx4lbJIpKAg4BRtyBHWCzH/gVRGhYA8xDs/DEvu +Z9mswBdniP+K1XSkr+NtxFvtkAy/C2Q2qk3sqpCMOt3MDGTyBgqIoplE/4XRCis9 +d7b1v1zv4/hN +=sQXd +-----END PGP PUBLIC KEY BLOCK----- diff --git a/gpg-pubkey-50a3dd1c-50f35137.asc b/gpg-pubkey-50a3dd1c-50f35137.asc new file mode 100644 index 0000000..2aa6c01 --- /dev/null +++ b/gpg-pubkey-50a3dd1c-50f35137.asc @@ -0,0 +1,21 @@ +5EAF444450A3DD1C SuSE Package Signing Key (reserve key) + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQENBFDzUTcBCADQ3p9ch1aR6cBqL+O7UNO+zFNTI5WxLf4tegWP8uuxK5tJTgXO +tjnwWmWIaijO6yfCtlBu8hD2Zp9sMenDY42yM5/uII0RpszqzqwwK5onnjGcSkWZ +8jAAn+mtLIJvCLCwTqwEM4mTdTZROtCnttHXZr4GFrqpeAh+SKEWIoMF66N1FSb6 +S0evzYw3ryjbFY0pial9/hqqnsTWCNHzE1Up7qdNIPxDV8UGyUzm70/xMMjJSIkB +aGpRdhILfZgyH6Ajhm7VCPPzW/BO30RSjHDnyo3hR39jE+KxvdgqTz+AthK5z+p2 +mwQ+ohTAo4dGb0lyZYFpXD7ucEl9w1ygzUe/ABEBAAG0NlN1U0UgUGFja2FnZSBT +aWduaW5nIEtleSAocmVzZXJ2ZSBrZXkpIDxidWlsZEBzdXNlLmRlPokBPAQTAQIA +JgUCUPNRNwIbAwUJB4TOAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEF6vRERQ +o90cr+kH/RwB21ma7cQvZ1lHvgcOTuM7Ttqq6x7uuFFDXCIdmbDHv1ocQI5Z3VCb +/7w+J8ZcBwNcr7i9Qsayu7umCILEOO8pNn/SlJVz6Kr6j6L8oAC3XHbXYrHacwMR +y9jQPCDqP7WZduRgEW2VWnIoNp6p/DAj724EmfLzURwLG1QKiLnOLtpygzyquk3S +gPGqgro+hCWX/VWgtBEKd33mgvwCBGjIe86VMvLCgtggyoBWDXYvsQMBO62fnk5w +Btwum/m8VPhWhcrbUK60ZsHbdwfmsBOKxewf2vIuKUcqJnIYCfsuBgx9xUxiNlGR +BVJIlG17h0jlRbEuuRez2397vU8Zw08= +=SfX3 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/security_at_suse_de.asc b/security_at_suse_de.asc new file mode 100644 index 0000000..5dbc65d --- /dev/null +++ b/security_at_suse_de.asc @@ -0,0 +1,28 @@ +77B2E6003D25D3D9 SuSE Security Team + +The block below contains the public key of the SUSE Security team. +It's used to sign security advisories and other imporant +announcents concerning the distribution. To be able to verify +signatures made with that key you need to import this file into your +keyring using the following command: + +gpg --import security_at_suse_de.asc + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.16 (GNU/Linux) + +mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA +BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz +JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh +1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U +P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+ +cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg +VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S0Ed7LmAD0l09kBAW04B/4p +WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL +hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG +BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+ +AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi +RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0 +zinsSx2OrWgvSiLEXXYK +=m7kg +-----END PGP PUBLIC KEY BLOCK----- diff --git a/suse-build-key.changes b/suse-build-key.changes index b38c86d..4b4f5c6 100644 --- a/suse-build-key.changes +++ b/suse-build-key.changes @@ -1,3 +1,18 @@ +------------------------------------------------------------------- +Thu Jan 9 12:29:53 UTC 2014 - meissner@suse.com + +- Merged over logic from openSUSE-build-key. +- Got rid of default importing into roots keyring. +- Removed some old keys. +- Clarify that security@suse.de is a email only key +- PTF key is supplied also as %doc, to not be default + imported. +- Keys currently inside: + - pub 2048R/39DB7C82 SuSE Package Signing Key + - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) + - pub 1024D/B37B98A9 SUSE PTF Signing Key + - pub 2048R/3D25D3D9 SuSE Security Team + ------------------------------------------------------------------- Thu Jan 31 17:11:08 CET 2013 - ro@suse.de diff --git a/suse-build-key.gpg b/suse-build-key.gpg deleted file mode 100644 index 553a727..0000000 --- a/suse-build-key.gpg +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:59c8d0592205de77964cbda7dbd3b9db9bfd343cbc347fa7756985f7a8a6b7cd -size 6774 diff --git a/suse-build-key.spec b/suse-build-key.spec index db81a69..390405d 100644 --- a/suse-build-key.spec +++ b/suse-build-key.spec @@ -1,7 +1,7 @@ # # spec file for package suse-build-key # -# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -24,106 +24,64 @@ AutoReqProv: off Summary: The public gpg key for rpm package signature verification License: GPL-2.0+ Group: System/Packages -Version: 1.0 -Release: 907. -Source0: suse-build-key.gpg -Source1: dumpsigs +Version: 12.0 +Release: 0 +# pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key +# The main package signing key. +Source0: gpg-pubkey-39db7c82-510a966b.asc +# pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) +# Fallback key if main key gets lost. +Source1: gpg-pubkey-50a3dd1c-50f35137.asc + +# pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key +# SUSE supplied PTF (program temporary fixes) are signed by this key. +# supplied to be not imported by default +Source98: suse_ptf_key.asc + +# pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team +# security@suse.de communication key. +# Only used for E-Mail encryption and signing to/from security@suse.de. +Source99: security_at_suse_de.asc + +Source100: dumpsigs BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch -%define pubring usr/lib/rpm/gnupg/pubring.gpg -%define susering usr/lib/rpm/gnupg/suse-build-key.gpg +%define keydir %{_prefix}/lib/rpm/gnupg/keys PreReq: sh-utils gpg fileutils mktemp %description -This package contains the gpg key that is used to sign official SuSE -rpm packages. It will be installed as a keyring in -/usr/lib/rpm/gnupg/pubring.gpg. Administrators who wish to add their -own keys to verify against should use the following commandline command -to add the key to the keyring as used by RPM: - -gpg --no-options --no-default-keyring \ --keyring -/usr/lib/rpm/gnupg/pubring.gpg --import +This package contains the gpg keys that are used to sign the +SUSE rpm packages. The keys installed here are not actually +used by anything. rpm/zypper use the keys in the rpm db instead. %prep -rm -f foobarnosuchfileordirectory -#%setup +%setup -qcT %build +cp %SOURCE98 . +cp %SOURCE99 . %install rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg -install %{SOURCE0} $RPM_BUILD_ROOT/%{susering} -install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg -mkdir keys -cd keys -$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering} -cd .. -cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg - -touch $RPM_BUILD_ROOT/%{pubring} -touch $RPM_BUILD_ROOT/%{pubring}~ +mkdir -p $RPM_BUILD_ROOT%{keydir} +for i in %sources; do + case "$i" in + */gpg-pubkey-*.asc) + install -m 644 "$i" $RPM_BUILD_ROOT%{keydir} + ;; + esac +done +install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg %files %defattr(644,root,root) -%attr(755,root,root) %dir /usr/lib/rpm/gnupg -%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs -/usr/lib/rpm/gnupg/keys -%config /%{susering} -%ghost /%{pubring} -%ghost /%{pubring}~ - -%post -if [ ! -f %{pubring} ]; then - touch %{pubring} -fi -echo -n "importing SuSE build key to rpm keyring... " -TF=`mktemp /tmp/gpg.XXXXXX` -if [ -z "$TF" ]; then - echo "suse-build-key::post: cannot make temporary file. Fatal error." - exit 20 -fi -if [ -z "$HOME" ]; then - HOME=/root - export HOME -fi -if [ ! -d "$HOME" ]; then - mkdir "$HOME" -fi -gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true -# no kidding... gpg won't initialize correctly without being called twice. -gpg < /dev/null > /dev/null 2>&1 || true -gpg < /dev/null > /dev/null 2>&1 || true -gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ - --keyring %{susering} --export -a > $TF -a="$?" -gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ - --keyring %{pubring} --import < $TF -b="$?" -rm -f "$TF" -if [ "$a" = 0 -a "$b" = 0 ]; then - echo "done." -else - echo "importing the key from the file %{susering}" - echo "returned an error. This should not happen. It may not be possible" - echo "to properly verify the authenticity of rpm packages from SuSE sources." - echo "The keyring containing the SuSE rpm package signing key can be found" - echo "in the root directory of the first CD (DVD) of your SuSE product." - exit -1 -fi -### import suse package build key to roots gpg keyring -if test -f root/.gnupg/pubring.gpg ; then - chroot . usr/bin/gpg --export --armor --no-default-keyring \ - --keyring %{susering} build@suse.de \ - | chroot . usr/bin/gpg --import || true - if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then - echo "gpg import for build@suse.de failed, please import manually" >&2 - fi -else - cp %{susering} root/.gnupg/pubring.gpg -fi -chmod 600 root/.gnupg/pubring.gpg +%doc security_at_suse_de.asc suse_ptf_key.asc +%attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg +%attr(755,root,root) %dir %{keydir} +%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs +%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc +%{keydir}/gpg-pubkey-39db7c82-510a966b.asc %changelog diff --git a/suse_ptf_key.asc b/suse_ptf_key.asc new file mode 100644 index 0000000..4ab0e50 --- /dev/null +++ b/suse_ptf_key.asc @@ -0,0 +1,26 @@ +6C74CE73B37B98A9 SUSE PTF Signing Key + +-----BEGIN PGP PUBLIC KEY BLOCK----- +Version: GnuPG v2.0.19 (GNU/Linux) + +mQGiBEKCDxcRBAC8XEA/xoFsF6c9QHU0aA3JBCQC3Jhpdv1+YzZOHDaSUziQ2ZL8 +12pt5oMg7qE0i5j0+zwL/0TUi4W8tar86a9gxRHzWgSkTiz4H2MvXSy5Qrnu1+Ho +MCAWMEL4s2JftKVu0XFRuT4nNHVi80JZxRzmF2EBLvtz7jrRHT/N/5A4FwCg+PE1 +wR2NC89ux+VfxoR8UzQu4wUD/2ZBslJyLYE6rpUFYHceSK3gOlPSIlCn3OYlVDY3 +AgYsqYH5gEOHxQeqigukk+tffyHIr5wdzTgTrPeL7v+TpgVHuRRuw7Dl9oi1PyoW +/PzNPjNSlXQCLUocY/ctCjre+WxjiewDPqmYVYS8Ie2DZMTFJ4w27mazfTJYgcPl +mmwqA/oDFSaXdRl0csqWi6XvjbUJKSVlDc8IuulB1IRLNk94+xKoDtC2xxp8zEVB +xBqmbT6pM1k3+KVzGL7oSHl4uMqzOkbRfKgKL/6ahJnLAGJPfPdFeIyGmvWDG915 +TE8oMesJq/MSaohxdJ6dywkhjd19Cbdts02scIfSu5yzMXHCm7QnU1VTRSBQVEYg +U2lnbmluZyBLZXkgPHN1cHBvcnRAc3VzZS5jb20+iGIEExECACICGwMECwcDAgMV +AgMDFgIBAh4BAheABQJL4BoaBQkQ4tkDAAoJEGx0znOze5ipiDoAn0YH3g6kFZfO +BcxASwMft1iuWVT5AKCQFQ1deyNwXvo+eCH/dGpt5nj1d7kBDQRCgg8ZEAQAkwPg +vF3r+7NNqgJyiW4w5yGXgu5H4Kmd9wXAT6sUOPU+4GRJJep0dUxHgdis2BboBDlO +YVWE061pua8Ut6mA5Rx0/KOCeTL3SJtXMcknop/4fSLfnPN0/bsbALAN7RtmEJnV +QXba7C/jY04J2p0wtWfF9Zh2/O0EaPmiVjkakHMAAwUD/0T/fMgYwD1ROk1aB7KW +0bcro2hYfXCPTZtpZI6qfRbwKr8SQ6wSSWRi+p1hrtY6SBSNqw3mW4K42bPewanI +KdGc9mDt2ecQK5TAScL6VKwPvR0LK5GXJsYZjm1/uf4dWAfoy5T8jqObjL+uavtd +RKcJVbquhZwMeAeOqiPaCFMliEwEGBECAAwFAkvgGiYFCRDi2Q0ACgkQbHTOc7N7 +mKndUgCfUmb1pAbgOJ3axZbe9HSwAb/BxlEAoKriKwSDH8XsRPQSp493OfB5UDpP +=GBuj +-----END PGP PUBLIC KEY BLOCK-----