From 219c4f81e0df6be90dae7f87b4eae62629ce2130e408489af74780a240576ce0 Mon Sep 17 00:00:00 2001 From: Marcus Meissner Date: Mon, 13 Jan 2014 15:08:11 +0000 Subject: [PATCH] OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=13 --- suse-build-key.changes | 24 +++++------ suse-build-key.gpg | Bin 0 -> 4945 bytes suse-build-key.spec | 96 ++++++++++++++++++++++++++++++++--------- 3 files changed, 87 insertions(+), 33 deletions(-) create mode 100644 suse-build-key.gpg diff --git a/suse-build-key.changes b/suse-build-key.changes index 65d7f50..4bca2db 100644 --- a/suse-build-key.changes +++ b/suse-build-key.changes @@ -1,22 +1,22 @@ ------------------------------------------------------------------- -Mon Jan 13 14:54:19 UTC 2014 - meissner@suse.com +Mon Jan 13 15:01:24 UTC 2014 - meissner@suse.com -- temporary readd the old SLE11 1024bit build@suse.de key +- reverted to build SLE12 Alpha2. ------------------------------------------------------------------- Thu Jan 9 12:29:53 UTC 2014 - meissner@suse.com - Merged over logic from openSUSE-build-key. -- Got rid of default importing into roots keyring. -- Removed some old keys. -- Clarify that security@suse.de is a email only key -- PTF key is supplied also as %doc, to not be default - imported. -- Keys currently inside: - - pub 2048R/39DB7C82 SuSE Package Signing Key - - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) - - pub 1024D/B37B98A9 SUSE PTF Signing Key - - pub 2048R/3D25D3D9 SuSE Security Team + - Got rid of default importing into roots keyring. + - Removed some old keys. + - Clarify that security@suse.de is a email only key + - PTF key is supplied also as %doc, to not be default + imported. + - Keys currently inside: + - pub 2048R/39DB7C82 SuSE Package Signing Key + - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) + - pub 1024D/B37B98A9 SUSE PTF Signing Key + - pub 2048R/3D25D3D9 SuSE Security Team ------------------------------------------------------------------- Thu Jan 31 17:11:08 CET 2013 - ro@suse.de diff --git a/suse-build-key.gpg b/suse-build-key.gpg new file mode 100644 index 0000000000000000000000000000000000000000000000000000000000000000..d152795a49cd4726b6ffa9bae94ecd17df98b8add1bba7612e1b9b8446567590 GIT binary patch literal 4945 zcmb7|WmJ`Iw}p4IN$J{vbazOJl%#ZbcO$jwPD!O334txrf`l|mH;8lyf=Ea=2j1^H z-+9j&k)on70zv?7Llp!^R~{kyN$&UuT z-@bJ`3fuKO+RA6%-rTrd!(0!o9pIIhyGym}W$T!GIt!*{?pq;z=r z(HN6Tc8ky-yR0}lF4YOc*?SQ=6ZQw64rTLOcYmp(c{AG*_K+^&x(SXbZ)4cL+`-Vi zi;7&MWjy`qsrR^zi7}xk@!hp2fBsyMD|0T3kcrWynQX9BUn{HyE`004*zD4;V$)TdfX7&hB1_bF1c z3lK{Rz8KnkI|{cgbci^2(A`$&Co;Efe77YMvNk^d&qygI}VPN*q@+Rq%(Q<|^2Yy=@c&(Gir@43SgSs`eK0YYt5L~HSHDe{o6aE9}r zKryuIW&#W+hzIo)GO+4=)al0B6k{V^_AATIeAu8DPB`yfPGsr!MMKj~vAl`+ZjKbZ zl}+Dd#w10o20c!%M7S!l?yUE0bWzN8Igc)PziUji(xtRV;n4T4$hIXx9B0|*Q;^{! zs7>I@EY6CO*;Mb>=fqdpwszKu?bVp8h}uoSGy2Kz04Q!f{aTfxAS%-^&(I^XoAU3cU68iie`IvF)@U8^Fd^T3}9AG>QZX30Xx<8Gi`}vRml;JyL*wX#@FpU4cL+LD(&`Zou-)G2;?P z`vr4Yoa0oBSsJ`DqGo| zOyFb;da2WZ%I0SnUVP%&zk)6`m>~#SYk3k4pkKTZIqi{wmVOa2ubSnfr8xFvKX!7u z!QLHyrYu`D)qVYV3e#X#C5h;<(GVHBfPG>=&B!U>eAsCk5o@@+C}D(C*fuW z(*Scp0%0kymbas-ZrtUrZa;-#N{Ugv@AJAf>D166OZU!(8e}G-qH0!=#Z0gj!bQ;n zOI&t)FEN6SDa?=welFy%&-632Kq}f}g!#7uMZyPL&KER2MqcO-?G`Nq!NCOqP@tfv zkIlLt3?WZ^9S4B^zF1ikP>_H#bmta#No`S=LR^dRF3=dsZ35)+qd2G|d|k3Ljk2N{ zb&Vz~;en)o=?qA{XHcN=X%|tF!0pKO8$uuucmck98Mz^cmS{o{5%YEiwoaqEAOb`3 zLTc+Jx^ccoVeD*JVQ)`Z-qfF`HRPVZO7PA`zjdq|J~R&bVXpMLri!viG-Gf4;L~}I z+hr*g=fW}Tk!LL%0&Y^v&Z2v^Z*o4!lllwkzU~nzRf%cWwKZ3#cQa|6*yJk0>WiQl5@@-O! zE^ZfcUrAdgL?&U@x^vf`c0Qby2`q#N?Hz~ULIBBs;xDco_E$PnS!jB=wgX6~lD9gF z&DaldN-MpmbFRdWSPEHn9Y_QJq~h{5DB_66gRfv?9i=Ye!d5+QKDoD3e?|}SuNK>qeN&9s zGxP@x35m}u_tqG9tTj0k@1F36VkJ!P_!g`&%-x)j3HN@$dzlrjyeYXtUqfFdGvF$P z9TYaVsC9EkKha;&^a?6y+~<-g_gcW95r7}5ZTF{!8mHQrv}lo!ks%pW9Jw^`meOgcr1sO$rYGno_z zqI}ODho7dBWYF4aNQa+)`YPK3m0WBCmx10Dv0wdA!|m{4rMDl=5neyCL zPB8j_$qPXKi#~QwL&4BAGNfRB(j@KR51V#7K%N+mgO&}UE$Wx|v6IPQx@a+J&8~-5 zYXV_CVDknC6%hVHNu3~y z%+*B^YDnA@BIK$rp5OYSIf!Tcbba2_+#!GEX=6WL(rLtE{$(;^qAKuA&#|033k+z9h zx_32QIZyksLgrwFS6{37_WWnF2!OGST^WgF!fc9hiY)=7Y0A(~rw$%;70G$@>^ZUS z>D&+>Dt!{Vh}VzHr5dwyl>FFjIQGqXETlDQDAqbSJMa~@`II@k(nG^)2w{V5|(R8kBUi5>@a_+W<43aD5g|~Q+HYR zCbm3n*AMl{yl=KKPK0ZTW5u>T96#E=m$$BFBv4=q%uGn^wSCVP5t@GpumqMGwPhlT zcd0UE$dLA`%Q!vex{|((=?ckoZ~Jj(`c8YJB);L-4@1w3r1*Et>e49fQC zPU|-n+Vsp$v?7G$o;%Ekjg0j3Uxcy#ov<&D0eL)peywR4W6^k*r%KcO?PgA3hEYJi zTP;x84`q1-XF4qZRGmOR1b*88K-hyZNrqw*-y2h_p}5$W5J%$DXX2iGwpjfTI?zIf zo!3pE1-~*m{~Ha#r0;L8zu7x&hEeUk<%`WYz7oN>lbVW+X#I%1-mWt3#XZu86f3ix zQ(ABuu{B9H?R{I_;-Vtrl02_7H>odi9)GFUB+AI=X?`TB*Gs-hYzE}Ga^Djkrw|*y zOA;go6rBHg(n%4IG3xwv!{kf2zXl)2Iuv|oEm5oP#vUSEnF=*UJeK>gBCIh%qguMK zNw3K-0779a54i|_9@Ps&zQQO@-Z2TH?yJh77#75@IE&r8OMVBHZ6a{)uHHC}{wT&m zbbUQ6%B!C00b+kaZgIwrF1&Q%Xc6-pELxtS72Zm{8)n(l%NWPMXI&S-qZ`t_k>$t& zz6298qt3*OL)!w=3KW>Mw`p!`e@U8lHql|3$eW@)E0s#xdXuW zh)CV}_mOlwQxjIwht;NyH?kJl>IS$bDrMVQCLjZd4p`dpo>$<>Tbf_ynpMsS%MrxC z$J#Uq{q((Vsk6L~c|7OTbocvD9M+T$`L0XN3hd7m7_6_;8NQGvI0ZG`Qs~0A22-vR zin8O{EA6k0q)O4Wnkyr6Fuh?3NZL764f?W z>DZ$h*xva?4N!nwV}*oK_WqVS#w$%k2p#yS3ak91FR>u1M`{B1iDqmm-!Mx1^>&9n z=X#6kWZRI225o8$`z^aKH1Tk!hBaGW89LG+bf9k)ZO=5a!`RiJ>U@ZEYMt-Mz1?jQ zU(1`nM-`9zZs^xY1s7`;V;*5ErTvXpw9>(7DsRoNg5{I#0T zvn(oN!3}s#qrbeeA)^U-G&9jvh4s|AOKj;|KDa=CO0d0 zD>pAIDhDec=Kq>(V}K%mMOy|a=t0i=fD1)~g^vJGFwju%gD!*+gbIcbfx!Qax(`J& zu9A{cEm|b6+J@bb1LyU!c6&H&^kmy$kCfM+D$gNz9`Aipdu~WWky-ts`#@rxl0Y*_W_v*efBmX>#@p*@28%=|$UDXH#T$jijS>jFTdq1QL_nmKnc?%?d0 z2-PpKkC|RSOmUr3_1&2G^UANeX!o5VnTJPeitbQcgVpk%fjGBf_BA$f*H`OXwI+p8mcar;^Y@4w;^4_(L`J~ zALRF0g|z!$D5{~SIozW-Uy^3vMAc-?8P!7(=kA*6p-#~hgp3!QpmctZh-5i3JaUPwJ(r!C2FkJ3Vl&xYB zbcAH{ejW|@g!RFD`5!3$pPyC!2H%5#{}=dNtMWpG=KVusB2fV!7tWi<5)ux~Jr)R9 zGYxAQsuwzPUcSeIWrSb_`F68?!AJS&%ARM@lmUeQ5p6Mgq;+M~E?-Koc5Hwm*H r!;&AV^c$HJC%ia>X?ci(9$lCzbr&&?&iV||aMEtLzkaUt;Di4Lr*X2^ literal 0 HcmV?d00001 diff --git a/suse-build-key.spec b/suse-build-key.spec index be76624..330d804 100644 --- a/suse-build-key.spec +++ b/suse-build-key.spec @@ -26,16 +26,19 @@ License: GPL-2.0+ Group: System/Packages Version: 12.0 Release: 0 +Source0: suse-build-key.gpg +Source1: dumpsigs + # pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key # The main package signing key. -Source0: gpg-pubkey-39db7c82-510a966b.asc +Source2: gpg-pubkey-39db7c82-510a966b.asc # pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) # Fallback key if main key gets lost. -Source1: gpg-pubkey-50a3dd1c-50f35137.asc +Source3: gpg-pubkey-50a3dd1c-50f35137.asc # pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key -# SLE11 build key, 1024bit.... Will not be used for SLE12, only temporary for building -Source2: gpg-pubkey-307e3d54-4be01a65.asc +# SLE11 build@suse.de key, 1024 bit +Source4: gpg-pubkey-307e3d54-4be01a65.asc # pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key # SUSE supplied PTF (program temporary fixes) are signed by this key. @@ -47,7 +50,6 @@ Source98: suse_ptf_key.asc # Only used for E-Mail encryption and signing to/from security@suse.de. Source99: security_at_suse_de.asc -Source100: dumpsigs BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %define keydir %{_prefix}/lib/rpm/gnupg/keys @@ -69,24 +71,76 @@ cp %SOURCE99 . %install rm -rf $RPM_BUILD_ROOT -mkdir -p $RPM_BUILD_ROOT%{keydir} -for i in %sources; do - case "$i" in - */gpg-pubkey-*.asc) - install -m 644 "$i" $RPM_BUILD_ROOT%{keydir} - ;; - esac -done -install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +install %{SOURCE0} $RPM_BUILD_ROOT/%{susering} +install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg +mkdir keys +cd keys +$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering} +cd .. +cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg + +touch $RPM_BUILD_ROOT/%{pubring} +touch $RPM_BUILD_ROOT/%{pubring}~ %files %defattr(644,root,root) -%doc security_at_suse_de.asc suse_ptf_key.asc -%attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg -%attr(755,root,root) %dir %{keydir} -%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs -%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc -%{keydir}/gpg-pubkey-39db7c82-510a966b.asc -%{keydir}/gpg-pubkey-307e3d54-4be01a65.asc +%attr(755,root,root) %dir /usr/lib/rpm/gnupg +%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs +/usr/lib/rpm/gnupg/keys +%config /%{susering} +%ghost /%{pubring} +%ghost /%{pubring}~ + +%post +if [ ! -f %{pubring} ]; then + touch %{pubring} +fi +echo -n "importing SuSE build key to rpm keyring... " +TF=`mktemp /tmp/gpg.XXXXXX` +if [ -z "$TF" ]; then + echo "suse-build-key::post: cannot make temporary file. Fatal error." + exit 20 +fi +if [ -z "$HOME" ]; then + HOME=/root + export HOME +fi +if [ ! -d "$HOME" ]; then + mkdir "$HOME" +fi +gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true +# no kidding... gpg won't initialize correctly without being called twice. +gpg < /dev/null > /dev/null 2>&1 || true +gpg < /dev/null > /dev/null 2>&1 || true +gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ + --keyring %{susering} --export -a > $TF +a="$?" +gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ + --keyring %{pubring} --import < $TF +b="$?" +rm -f "$TF" +if [ "$a" = 0 -a "$b" = 0 ]; then + echo "done." +else + echo "importing the key from the file %{susering}" + echo "returned an error. This should not happen. It may not be possible" + echo "to properly verify the authenticity of rpm packages from SuSE sources." + echo "The keyring containing the SuSE rpm package signing key can be found" + echo "in the root directory of the first CD (DVD) of your SuSE product." + exit -1 +fi +### import suse package build key to roots gpg keyring +if test -f root/.gnupg/pubring.gpg ; then + chroot . usr/bin/gpg --export --armor --no-default-keyring \ + --keyring %{susering} build@suse.de \ + | chroot . usr/bin/gpg --import || true + if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then + echo "gpg import for build@suse.de failed, please import manually" >&2 + fi +else + cp %{susering} root/.gnupg/pubring.gpg +fi +chmod 600 root/.gnupg/pubring.gpg %changelog