Accepting request 518537 from home:msmeissn:branches:Base:System

- extend the build@suse.de product key. (bsc#1014151) pub 2048R/39DB7C82 2013-01-31 [expires: 2020-12-06] uid SuSE Package Signing Key <build@suse.de> - use dumpsigs script from openSUSE to merge code - renamed security_at_suse_de.asc to security_at_suse_de_old.asc - security_at_suse_de.asc: new 4096 bit RSA key. pub 4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de> bnc#899509 - create suse-build-key.gpg during build. - Remove old keys from keyring. (fate#314767) Keys currently inside the RPM trusted keyring: - pub 2048R/39DB7C82 SuSE Package Signing Key <build@suse.de> - pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de> - Various keys are moved to the documentation area (/usr/share/doc/packages/suse-build-key) - build-at-suse-sle11.asc: the old SUSE Linux Enterprise 11 key. if SUSE Linux Enterprise 11 packages need to be verified on a SUSE Linux Enterprise 12 system. - suse_ptf_key.asc: The suse ptf key. For verification of provided PTFs. - security_at_suse_de.asc: Use only for email encryption and verification purposes when contacting our security contact address security@suse.de OBS-URL: https://build.opensuse.org/request/show/518537 OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=26
2017-08-24 13:29:11 +00:00 · 2017-08-24 13:29:11 +00:00 · 37fe7037e6
commit 37fe7037e6
parent 0969aeea70
6 changed files with 175 additions and 53 deletions
--- a/66
+++ b/66
@ -1,21 +1,50 @@
-#!/usr/bin/perl
+#!/usr/bin/perl -w
 # dump all keys contained in the keyring specified as argument
-my $keyring='';
+use strict;
-$keyring="--no-default-keyring --keyring=$ARGV[0]" if $ARGV[0] ne '';
+my @keyring;
 die "must specify keyring\n" unless @ARGV;
 my $file =  shift @ARGV;
 unless ($file =~ /^\//) {
 	use Cwd qw/abs_path/;
 	$file = abs_path($file);
 }
 # XXX: workaround for colons in obs project names o_O
 if ($file =~ /:/) {
 	use File::Temp qw/tempdir/;
 	my $tmpdir = tempdir( CLEANUP => 1);
 	my $nn = $file;
 	$nn =~ s/.*\///;
 	$nn = $tmpdir.'/'.$nn;
 	symlink($file, $nn) or die "failed to symlink: $!\n";
 	$file = $nn;
 }
@keyring = ('--no-default-keyring', '--keyring='.$file);
 my @line;
 my $ver;
 my $rel;
 my $name;
 my %names;
-open(GPG, "gpg $keyring --no-secmem-warning --list-sigs --list-options show-keyring --fixed-list-mode --with-colons |");
+my @cmd = qw/--no-secmem-warning --no-options --list-sigs --list-options show-keyring --fixed-list-mode --with-colons/;
 unshift @cmd, @keyring;
 unshift @cmd, 'gpg';
 #print join(' ', @cmd), "\n";
 open(GPG, '-|', @cmd);
 while (<GPG>) {
  chomp;
  next unless /^pub:/;
  @line = split(':', $_);
  my $id = $line[4];
  $_ = <GPG>;
  $_ = <GPG> if /^fpr:/;
  chomp;
  next unless /^uid:/;
  @line = split(':', $_);
@ -23,7 +52,7 @@ while (<GPG>) {
  while (1) {
    $_ = <GPG>;
    chomp;
-    die unless /^sig:/;
+    next unless /^sig:/;
    @line = split(':', $_);
    next if $line[4] ne $id;
    $ver = lc($id);
@ -31,12 +60,33 @@ while (<GPG>) {
    $rel = sprintf("%08x", $line[5]);
    last;
  }
-  $names{"gpg-pubkey-$ver-$rel"} = $id;
+  $names{"gpg-pubkey-$ver-$rel"} = [ $id, $name ];
 }
 close GPG;
 my $n;
 for $n (sort keys %names) {
-  print "writing $n.asc\n";
+  @cmd = qw/--no-options --no-secmem-warning --export-options export-minimal --export -a/;
-  system("gpg $keyring --no-secmem-warning --export -a '$names{$n}' >$n.asc");
+  push  @cmd, $names{$n}[0];
  unshift @cmd, @keyring;
  unshift @cmd, 'gpg';
  my $fn = $n.".asc";
  unless (open(O, '>', $fn)) {
 	  warn "failed to open $fn: $!";
 	  next;
  }
  printf O "%s %s\n\n", $names{$n}[0], $names{$n}[1];
  print "writing $fn\n";
  #print join(' ', @cmd), "\n";
  unless (open(GPG, '-|', @cmd)) {
 	  warn "failed to exec gpg: $!";
 	  close O;
 	  unlink $fn;
 	  next;
  }
  while(<GPG>) {
 	  print O;
  }
  close GPG;
  close O;
 }
--- a/gpg-pubkey-39db7c82-510a966b.asc
+++ b/gpg-pubkey-39db7c82-510a966b.asc
@ -1,21 +0,0 @@
 70AF9E8139DB7C82 SuSE Package Signing Key <build@suse.de>
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.19 (GNU/Linux)
 mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
 YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
 91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
 hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
 vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
 L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
 aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYFAlEKlmsCGwMFCQeE
 zgAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBwr56BOdt8gomGCAC13Pi60I6O
 8GJ03BQrmVyyJrDcwJxxqw0HmIENf3rDLMYTBuduM3mNm5Fy2Gl2IuWD9mHvckQs
 0xa+A7mAwHXhIXWFCrZWyRH16w93BzjjLGiMMKimE8mg4XcaRL1FJhxGqq7FpLga
 XpQofkw0yFcavuubETpDR3w4qiRVsNKq4RM00pMCpTpJDWamFJm/oOUmBE45Q071
 v9C4oQHPsBNK/yMtlRssel815Xx4lbJIpKAg4BRtyBHWCzH/gVRGhYA8xDs/DEvu
 Z9mswBdniP+K1XSkr+NtxFvtkAy/C2Q2qk3sqpCMOt3MDGTyBgqIoplE/4XRCis9
 d7b1v1zv4/hN
 =sQXd
 -----END PGP PUBLIC KEY BLOCK-----
--- a/gpg-pubkey-39db7c82-5847eb1f.asc
+++ b/gpg-pubkey-39db7c82-5847eb1f.asc
@ -0,0 +1,19 @@
 -----BEGIN PGP PUBLIC KEY BLOCK-----
 Version: GnuPG v2.0.15 (GNU/Linux)
 mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
 YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
 91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
 hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
 vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
 L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
 aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYCGwMGCwkIBwMCBBUC
 CAMEFgIDAQIeAQIXgAUCWEfrHwUJDsIitAAKCRBwr56BOdt8gpqUB/wPSSS5BcDu
 Oi4n02cj4Hdt7WITKBjjo0lG1fXG1ppx1wOST+s8FertMVFY53TW6FGjcYtwVOIq
 rsMYiV6kf1NxUV/jcAy7VmC5EZnO0R/D3sT4Oh5hsLtERauZolK5BZmd0S51Qa8e
 TxZ5mX9PL2i3s/ShETc30drf83ugc7B4yZPNQWXNDPgGcC+hEeC5qw48RzHYIpUt
 RzHmefR5Z3ioTUbDlzy+SGP2uA7mhR4Lfk/df5fYxWfCoKlyGjtrvA65cB+Pksyn
 xrAeBuB+vBM+KnDrxW2Sn4AbWkzH//dfz9OJDJu4UM91hb7qxM0OkrXHQV3iNqzg
 MDEhky/9NqMy
 =GdP5
 -----END PGP PUBLIC KEY BLOCK-----
--- a/security_at_suse_de.asc
+++ b/security_at_suse_de.asc
@ -1,5 +1,3 @@
 77B2E6003D25D3D9 SuSE Security Team <security@suse.de>
 The block below contains the public key of the SUSE Security team.
 It's used to sign security advisories and other imporant
 announcents concerning the distribution. To be able to verify
@ -7,22 +5,55 @@ signatures made with that key you need to import this file into your
 keyring using the following command:
 gpg --import security_at_suse_de.asc
 -----BEGIN PGP PUBLIC KEY BLOCK-----
-Version: GnuPG v2.0.16 (GNU/Linux)
+Version: GnuPG v2
-mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
+mQINBFQtF/8BEAC682QMnBjVnGNGo8PcdoGgqQcfdtaBMFhpIfFp0dTdcW7vMwJV
-BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
+PDV1TzOvtAlMSsUo6I+sIYG0PAnc51xh/xOAXzKrz0Qd0MEGVsT98yHB6W3XGRuX
-JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
+f88FycgIzH03En92yZdBUTV1g3nBM3FFuwjT78quRCzpIMdHtEg4VFFam90TbrLU
-1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
+F5ApHNqQf3yqbb6ddG5pdwB1pMoG7Zz4XaK/v0D20U8OxjrWTsbDRgWarIWwoGD4
-P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
+VhYqC891fHeoVKmYRYsrTJXqdCoArp/eofGHG/zhVA+MEHsNvPBhW+YxxpNO7MI1
-cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
+VjwIKFfO9jl3H3m4yOJ3BOaSpxCDb3LwKdSGCYvrCmGhsJpOyG33t/nwzhsN3R3D
-VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
+OBg3YQQ17rZqcF9H89UauFaRDS1VxD/3GSCpmCAt39NW2EHaTOllcxwGkd61spoB
-WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
+Q+g10kmiUa1DxWiN0lQnFDdpu8E8SaOnaRKjQy9KDFLxc9GCZXzOceP8wUjWBeKi
-hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
+yAVesw562vRS+anpqbxeF1qzYJ78OVzjfFbdkxRecy4HbyaMt31YIPflSeEHrUa3
-BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
+Zrl8cXmJvcNZRbGeva++gCmzjYPpFSs9bAVWuFqY0UT3PbLYruYhyYyGv1x5Kwvb
-AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
+TYWqLsQmHQxGp61zI97YbAz/XzLeAFrvzW2BnsEeLNXJG0lBShjalHLzqwARAQAB
-RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
+tCVTVVNFIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHN1c2UuZGU+iQI5BBMBAgAj
-zinsSx2OrWgvSiLEXXYK
+BQJULRf/AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQWPxYsTF81QL5
-=m7kg
+WA//cU8pptQ5ZwfI4edi2faNgU4qBF1mJQcchXVyQFcbdHpwNsHkqYFqVK98LwBJ
 3sQUUVwUFdt7uauLtPMYONDeroy95DXhwvjsD891adOzehhAn3DTFUYYTPgs/x1b
 UoXe5LShjinGi95HRjs5LpKyHn67pr91zbMDA0dhHku9mkD2kg8erTjtLlutCgRd
 l25/AUsWi5qG2IZ1GK/GmmpnerD5R5jVc+MLJPW37pSUfS/BdmbK4XmZylpHF53a
 hsUlG6wQM7H1OTyCYWA71jJ5ydeBSlrW6Jt4skM0Lipcr2rmLz/CVI/R0CTADyeI
 41mOSmKOXQnlM0A3BGhLPb4JZFSOu9r+LvRq8u9sMICFqL7OEhjSHQqQ3Oe4sQWG
 vJY1IcP3UW1byG/8MhBTp/16Wxd0Nv44JE4WS2VFVopaso7jmrnv/0JS7b4WwgE8
 OLi3Et4OpeXZEOY9LAYOQc1fdl+leh5qk7TkgNwAn69wdZYXXB3rS1Q6VxMFLyin
 xaepwIlx0jsoG608dT03kv9EUx/hwvZrwnDyeoPtB1+HRXw1o6p/zU8B3r5fqes8
 Ah28Q1sD9c0ojH1gWcodQrhfkqLubgRJHUTTzO4KBwtTqBstcIR1kamOyA4oDbwK
 tT0KsnU9DtJgqGkw0/nlOOgVXvsKWFXgZj4BcHct+tIO4ce5Ag0EVC0X/wEQAMjU
 PGzcmaH8TZ3JExvUiK8zXW5pwnYVyxyMkdn8lWMmPdLI7ljj2OIqzXoYuT4nNmRZ
 +zq4ucpd8DwAwim/cfi3bs/xqMNKkC1AybZW/KiEDTHll9Gc0cSa4DBQjdKjm839
 86kz0nzXxWXvBCqEyVVI1YoDAHTcAvMHkOZKc33kv6PS73Gymm78Em1ychx2u6UF
 cQ248QFWXOPXsRaLVmNicuD/rEPcaKr8FomYYtqiGr88sv06FF0EdIa1aXqPVQU1
 IxqH3pAn6oQ2aZUe5jzydhMzhiYGfZtO+ePxE7mi2Vr/m3iurVfhusqc69Cxfd4Z
 fCReSAQFbJ7Vf58c+rRbIp3NkZaID8Fo9jINC9ogNPDxVLbCSmxTnDpR9IdGi9oZ
 VwgcWdQ9rbspOClntbE6GonA++OTEkMOTOFEgGfd7CEuEAAxYc3uchhlSN+LfQja
 B24UgGKHP5QEvjclBOKjDWMfsOwyqdDBkGb0rHCE3ohUnA6QQpz+zSmF0oXmGwAQ
 Jj3YhT/4Z/VapIjlMu9ZaPoT8dGUaDCUeJa4Kbg2krzMolKDNoZeWL5uOJk64+XU
 5JsYBofMrQt3Esv+YGyhD2krYcs/7jaj+BLaJu4+asvXe9pAQTdGCNMoO/qiPsJ6
 gZLnHUjuxMF2eNvFqrYHXCILFFRDYCSiW1RfhPVJABEBAAGJAh8EGAECAAkFAlQt
 F/8CGwwACgkQWPxYsTF81QJVJBAAnuE49ccyVXA3uWquzleHx1ioyVPuYKeE1Lzw
 ibzdnrOPEYVMyNJbr3AcRofH4++KE5AdV9CUYYsP7pbix5hUcG0UdtT10QxAks/Z
 e2k7gTXS3Fgu8q5+q4diDhh1GtiUKX+lsyN4MA6HhzPzACIy7Iy2LlRLV1oqYEMs
 UPF2yEA+04r/UJAhKLshE0evA6Kkkq4MXvPcPxbyhZx+1S6/++dS81I+6+EEGyzM
 +8GFn50Op84ULS/eSjVusnha/HVz5mulatWw1yV8hdVyKVqDT/GPOcJ3+MnWHIva
 7NU3RvySgie7ouxM3M5U1GO/bfL7wmAJvJ2mPhoGoSJ6ir5uhMV1CRvMxDVEqomm
 ozxxDGJZ4O8dfpfs9vKIhqeEi9Pk4ZtFIHBEbHiRf1TCpeV13kh9eGpbnSCjTZvD
 HcjR78kQM76XH1JPCH72AhPbePOrI/OmHvvrVyQRN24cXvAzK8L4a2c0FqbrivwX
 7bFHjZcfsjujYQb1QCF9zomtDXQAkWhts0I+tQcegUfQrrUlGFAMuwO/Lts6KL7G
 vyd7dmv07xkbnlwJih4CIKvbImi93fRFMu763QzDhiAQcUohTROoQjZKoJRsRTn8
 czy7l6bFqw5kBgGh0XxyWzdIDIZfyfmb2q6cdEeeajP8g92Hknarmy7UXX7a8eMa
 WzjAfBA=
 =zsa2
 -----END PGP PUBLIC KEY BLOCK-----
--- a/suse-build-key.changes
+++ b/suse-build-key.changes
@ -1,3 +1,24 @@
 -------------------------------------------------------------------
 Wed Dec  7 16:35:05 UTC 2016 - meissner@suse.com
 - extend the build@suse.de product key. (bsc#1014151)
  pub  2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
  uid                            SuSE Package Signing Key <build@suse.de>
 -------------------------------------------------------------------
 Tue Nov 29 12:54:46 CET 2016 - ro@suse.de
 - use dumpsigs script from openSUSE to merge code 
 -------------------------------------------------------------------
 Thu Oct  2 12:45:05 UTC 2014 - meissner@suse.com
 - renamed security_at_suse_de.asc to security_at_suse_de_old.asc
 - security_at_suse_de.asc: new 4096 bit RSA key.
  pub  4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de>
  bnc#899509
 -------------------------------------------------------------------
 Fri Aug 29 08:28:03 UTC 2014 - meissner@suse.com
@ -5,6 +26,24 @@ Fri Aug 29 08:28:03 UTC 2014 - meissner@suse.com
  - suse-build-key.gpg blob dropped
  - ship seperate files
 -------------------------------------------------------------------
 Mon Feb 10 09:57:50 UTC 2014 - meissner@suse.com
 - create suse-build-key.gpg during build.
 - Remove old keys from keyring. (fate#314767)
  Keys currently inside the RPM trusted keyring:
  - pub  2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
  - pub  2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
 - Various keys are moved to the documentation area
  (/usr/share/doc/packages/suse-build-key)
  - build-at-suse-sle11.asc: the old SUSE Linux Enterprise 11 key.
    if SUSE Linux Enterprise 11 packages need to be verified on
    a SUSE Linux Enterprise 12 system.
  - suse_ptf_key.asc: The suse ptf key. For verification of provided PTFs.
  - security_at_suse_de.asc: Use only for email encryption and
    verification purposes when contacting our security contact address
    security@suse.de
 -------------------------------------------------------------------
 Mon Jan 13 15:01:24 UTC 2014 - meissner@suse.com
--- a/suse-build-key.spec
+++ b/suse-build-key.spec
@ -1,7 +1,7 @@
 #
 # spec file for package suse-build-key
 #
-# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@ -26,9 +26,11 @@ License:        GPL-2.0+
 Group:          System/Packages
 Version:        12.0
 Release:        0
 # pub  2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
 # The main package signing key.
-Source0:        gpg-pubkey-39db7c82-510a966b.asc
+Source0:        gpg-pubkey-39db7c82-5847eb1f.asc
 # pub  2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
 # Fallback key if main key gets lost.
 Source1:        gpg-pubkey-50a3dd1c-50f35137.asc
@ -36,17 +38,19 @@ Source1:        gpg-pubkey-50a3dd1c-50f35137.asc
 # pub  1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
 # SLES 10 key.
 Source2:        gpg-pubkey-307e3d54-4be01a65.asc
 # pub  1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
 # SUSE supplied PTF (program temporary fixes) are signed by this key.
 # supplied to be not imported by default
 Source98:       suse_ptf_key.asc
-# pub  2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
+# pub  4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de>
-# security@suse.de communication key.
+# sub  4096R/0DE80E03 2014-10-02
-# Only used for E-Mail encryption and signing to/from security@suse.de.
+# Only used for email communication
 Source99:       security_at_suse_de.asc
 Source100:      dumpsigs
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildArch:      noarch
 %define keydir  %{_prefix}/lib/rpm/gnupg/keys
@ -85,7 +89,7 @@ install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
 %attr(755,root,root) %dir %{keydir}
 %attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs
 %{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc
-%{keydir}/gpg-pubkey-39db7c82-510a966b.asc
+%{keydir}/gpg-pubkey-39db7c82-5847eb1f.asc
 %{keydir}/gpg-pubkey-307e3d54-4be01a65.asc
 %changelog