diff --git a/suse-build-key.changes b/suse-build-key.changes index 65d7f50..4bca2db 100644 --- a/suse-build-key.changes +++ b/suse-build-key.changes @@ -1,22 +1,22 @@ ------------------------------------------------------------------- -Mon Jan 13 14:54:19 UTC 2014 - meissner@suse.com +Mon Jan 13 15:01:24 UTC 2014 - meissner@suse.com -- temporary readd the old SLE11 1024bit build@suse.de key +- reverted to build SLE12 Alpha2. ------------------------------------------------------------------- Thu Jan 9 12:29:53 UTC 2014 - meissner@suse.com - Merged over logic from openSUSE-build-key. -- Got rid of default importing into roots keyring. -- Removed some old keys. -- Clarify that security@suse.de is a email only key -- PTF key is supplied also as %doc, to not be default - imported. -- Keys currently inside: - - pub 2048R/39DB7C82 SuSE Package Signing Key - - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) - - pub 1024D/B37B98A9 SUSE PTF Signing Key - - pub 2048R/3D25D3D9 SuSE Security Team + - Got rid of default importing into roots keyring. + - Removed some old keys. + - Clarify that security@suse.de is a email only key + - PTF key is supplied also as %doc, to not be default + imported. + - Keys currently inside: + - pub 2048R/39DB7C82 SuSE Package Signing Key + - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) + - pub 1024D/B37B98A9 SUSE PTF Signing Key + - pub 2048R/3D25D3D9 SuSE Security Team ------------------------------------------------------------------- Thu Jan 31 17:11:08 CET 2013 - ro@suse.de diff --git a/suse-build-key.gpg b/suse-build-key.gpg new file mode 100644 index 0000000..d152795 Binary files /dev/null and b/suse-build-key.gpg differ diff --git a/suse-build-key.spec b/suse-build-key.spec index be76624..330d804 100644 --- a/suse-build-key.spec +++ b/suse-build-key.spec @@ -26,16 +26,19 @@ License: GPL-2.0+ Group: System/Packages Version: 12.0 Release: 0 +Source0: suse-build-key.gpg +Source1: dumpsigs + # pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key # The main package signing key. -Source0: gpg-pubkey-39db7c82-510a966b.asc +Source2: gpg-pubkey-39db7c82-510a966b.asc # pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) # Fallback key if main key gets lost. -Source1: gpg-pubkey-50a3dd1c-50f35137.asc +Source3: gpg-pubkey-50a3dd1c-50f35137.asc # pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key -# SLE11 build key, 1024bit.... Will not be used for SLE12, only temporary for building -Source2: gpg-pubkey-307e3d54-4be01a65.asc +# SLE11 build@suse.de key, 1024 bit +Source4: gpg-pubkey-307e3d54-4be01a65.asc # pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key # SUSE supplied PTF (program temporary fixes) are signed by this key. @@ -47,7 +50,6 @@ Source98: suse_ptf_key.asc # Only used for E-Mail encryption and signing to/from security@suse.de. Source99: security_at_suse_de.asc -Source100: dumpsigs BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %define keydir %{_prefix}/lib/rpm/gnupg/keys @@ -69,24 +71,76 @@ cp %SOURCE99 . %install rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT%{keydir} -for i in %sources; do - case "$i" in - */gpg-pubkey-*.asc) - install -m 644 "$i" $RPM_BUILD_ROOT%{keydir} - ;; - esac -done -install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +install %{SOURCE0} $RPM_BUILD_ROOT/%{susering} +install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +mkdir keys +cd keys +$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering} +cd .. +cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg + +touch $RPM_BUILD_ROOT/%{pubring} +touch $RPM_BUILD_ROOT/%{pubring}~ %files %defattr(644,root,root) -%doc security_at_suse_de.asc suse_ptf_key.asc -%attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg -%attr(755,root,root) %dir %{keydir} -%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs -%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc -%{keydir}/gpg-pubkey-39db7c82-510a966b.asc -%{keydir}/gpg-pubkey-307e3d54-4be01a65.asc +%attr(755,root,root) %dir /usr/lib/rpm/gnupg +%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs +/usr/lib/rpm/gnupg/keys +%config /%{susering} +%ghost /%{pubring} +%ghost /%{pubring}~ + +%post +if [ ! -f %{pubring} ]; then + touch %{pubring} +fi +echo -n "importing SuSE build key to rpm keyring... " +TF=`mktemp /tmp/gpg.XXXXXX` +if [ -z "$TF" ]; then + echo "suse-build-key::post: cannot make temporary file. Fatal error." + exit 20 +fi +if [ -z "$HOME" ]; then + HOME=/root + export HOME +fi +if [ ! -d "$HOME" ]; then + mkdir "$HOME" +fi +gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true +# no kidding... gpg won't initialize correctly without being called twice. +gpg < /dev/null > /dev/null 2>&1 || true +gpg < /dev/null > /dev/null 2>&1 || true +gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ + --keyring %{susering} --export -a > $TF +a="$?" +gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ + --keyring %{pubring} --import < $TF +b="$?" +rm -f "$TF" +if [ "$a" = 0 -a "$b" = 0 ]; then + echo "done." +else + echo "importing the key from the file %{susering}" + echo "returned an error. This should not happen. It may not be possible" + echo "to properly verify the authenticity of rpm packages from SuSE sources." + echo "The keyring containing the SuSE rpm package signing key can be found" + echo "in the root directory of the first CD (DVD) of your SuSE product." + exit -1 +fi +### import suse package build key to roots gpg keyring +if test -f root/.gnupg/pubring.gpg ; then + chroot . usr/bin/gpg --export --armor --no-default-keyring \ + --keyring %{susering} build@suse.de \ + | chroot . usr/bin/gpg --import || true + if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then + echo "gpg import for build@suse.de failed, please import manually" >&2 + fi +else + cp %{susering} root/.gnupg/pubring.gpg +fi +chmod 600 root/.gnupg/pubring.gpg %changelog