1
0

Accepting request 213302 from home:msmeissn:branches:Base:System

- Merged over logic from openSUSE-build-key.
- Got rid of default importing into roots keyring.
- Removed some old keys.
- Clarify that security@suse.de is a email only key
- PTF key is supplied also as %doc, to not be default
  imported.
- Keys currently inside:
  - pub  2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
  - pub  2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
  - pub  1024D/B37B98A9 SUSE PTF Signing Key <support@suse.com>
  - pub  2048R/3D25D3D9 SuSE Security Team <security@suse.de>

OBS-URL: https://build.opensuse.org/request/show/213302
OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=9
This commit is contained in:
Marcus Meissner 2014-01-09 13:49:26 +00:00 committed by Git OBS Bridge
parent 8016e44ace
commit 4f52763dd1
8 changed files with 154 additions and 90 deletions

2
.gitattributes vendored
View File

@ -21,5 +21,3 @@
*.xz filter=lfs diff=lfs merge=lfs -text
*.zip filter=lfs diff=lfs merge=lfs -text
*.zst filter=lfs diff=lfs merge=lfs -text
## Specific LFS patterns
suse-build-key.gpg filter=lfs diff=lfs merge=lfs -text

View File

@ -0,0 +1,21 @@
70AF9E8139DB7C82 SuSE Package Signing Key <build@suse.de>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYFAlEKlmsCGwMFCQeE
zgAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBwr56BOdt8gomGCAC13Pi60I6O
8GJ03BQrmVyyJrDcwJxxqw0HmIENf3rDLMYTBuduM3mNm5Fy2Gl2IuWD9mHvckQs
0xa+A7mAwHXhIXWFCrZWyRH16w93BzjjLGiMMKimE8mg4XcaRL1FJhxGqq7FpLga
XpQofkw0yFcavuubETpDR3w4qiRVsNKq4RM00pMCpTpJDWamFJm/oOUmBE45Q071
v9C4oQHPsBNK/yMtlRssel815Xx4lbJIpKAg4BRtyBHWCzH/gVRGhYA8xDs/DEvu
Z9mswBdniP+K1XSkr+NtxFvtkAy/C2Q2qk3sqpCMOt3MDGTyBgqIoplE/4XRCis9
d7b1v1zv4/hN
=sQXd
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,21 @@
5EAF444450A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQENBFDzUTcBCADQ3p9ch1aR6cBqL+O7UNO+zFNTI5WxLf4tegWP8uuxK5tJTgXO
tjnwWmWIaijO6yfCtlBu8hD2Zp9sMenDY42yM5/uII0RpszqzqwwK5onnjGcSkWZ
8jAAn+mtLIJvCLCwTqwEM4mTdTZROtCnttHXZr4GFrqpeAh+SKEWIoMF66N1FSb6
S0evzYw3ryjbFY0pial9/hqqnsTWCNHzE1Up7qdNIPxDV8UGyUzm70/xMMjJSIkB
aGpRdhILfZgyH6Ajhm7VCPPzW/BO30RSjHDnyo3hR39jE+KxvdgqTz+AthK5z+p2
mwQ+ohTAo4dGb0lyZYFpXD7ucEl9w1ygzUe/ABEBAAG0NlN1U0UgUGFja2FnZSBT
aWduaW5nIEtleSAocmVzZXJ2ZSBrZXkpIDxidWlsZEBzdXNlLmRlPokBPAQTAQIA
JgUCUPNRNwIbAwUJB4TOAAYLCQgHAwIEFQIIAwQWAgMBAh4BAheAAAoJEF6vRERQ
o90cr+kH/RwB21ma7cQvZ1lHvgcOTuM7Ttqq6x7uuFFDXCIdmbDHv1ocQI5Z3VCb
/7w+J8ZcBwNcr7i9Qsayu7umCILEOO8pNn/SlJVz6Kr6j6L8oAC3XHbXYrHacwMR
y9jQPCDqP7WZduRgEW2VWnIoNp6p/DAj724EmfLzURwLG1QKiLnOLtpygzyquk3S
gPGqgro+hCWX/VWgtBEKd33mgvwCBGjIe86VMvLCgtggyoBWDXYvsQMBO62fnk5w
Btwum/m8VPhWhcrbUK60ZsHbdwfmsBOKxewf2vIuKUcqJnIYCfsuBgx9xUxiNlGR
BVJIlG17h0jlRbEuuRez2397vU8Zw08=
=SfX3
-----END PGP PUBLIC KEY BLOCK-----

28
security_at_suse_de.asc Normal file
View File

@ -0,0 +1,28 @@
77B2E6003D25D3D9 SuSE Security Team <security@suse.de>
The block below contains the public key of the SUSE Security team.
It's used to sign security advisories and other imporant
announcents concerning the distribution. To be able to verify
signatures made with that key you need to import this file into your
keyring using the following command:
gpg --import security_at_suse_de.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.16 (GNU/Linux)
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYK
=m7kg
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,3 +1,18 @@
-------------------------------------------------------------------
Thu Jan 9 12:29:53 UTC 2014 - meissner@suse.com
- Merged over logic from openSUSE-build-key.
- Got rid of default importing into roots keyring.
- Removed some old keys.
- Clarify that security@suse.de is a email only key
- PTF key is supplied also as %doc, to not be default
imported.
- Keys currently inside:
- pub 2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
- pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
- pub 1024D/B37B98A9 SUSE PTF Signing Key <support@suse.com>
- pub 2048R/3D25D3D9 SuSE Security Team <security@suse.de>
-------------------------------------------------------------------
Thu Jan 31 17:11:08 CET 2013 - ro@suse.de

View File

@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:59c8d0592205de77964cbda7dbd3b9db9bfd343cbc347fa7756985f7a8a6b7cd
size 6774

View File

@ -1,7 +1,7 @@
#
# spec file for package suse-build-key
#
# Copyright (c) 2013 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -24,106 +24,64 @@ AutoReqProv: off
Summary: The public gpg key for rpm package signature verification
License: GPL-2.0+
Group: System/Packages
Version: 1.0
Release: 907.<RELEASE42>
Source0: suse-build-key.gpg
Source1: dumpsigs
Version: 12.0
Release: 0
# pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
# The main package signing key.
Source0: gpg-pubkey-39db7c82-510a966b.asc
# pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
# Fallback key if main key gets lost.
Source1: gpg-pubkey-50a3dd1c-50f35137.asc
# pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
# SUSE supplied PTF (program temporary fixes) are signed by this key.
# supplied to be not imported by default
Source98: suse_ptf_key.asc
# pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
# security@suse.de communication key.
# Only used for E-Mail encryption and signing to/from security@suse.de.
Source99: security_at_suse_de.asc
Source100: dumpsigs
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%define pubring usr/lib/rpm/gnupg/pubring.gpg
%define susering usr/lib/rpm/gnupg/suse-build-key.gpg
%define keydir %{_prefix}/lib/rpm/gnupg/keys
PreReq: sh-utils gpg fileutils mktemp
%description
This package contains the gpg key that is used to sign official SuSE
rpm packages. It will be installed as a keyring in
/usr/lib/rpm/gnupg/pubring.gpg. Administrators who wish to add their
own keys to verify against should use the following commandline command
to add the key to the keyring as used by RPM:
gpg --no-options --no-default-keyring \ --keyring
/usr/lib/rpm/gnupg/pubring.gpg --import
This package contains the gpg keys that are used to sign the
SUSE rpm packages. The keys installed here are not actually
used by anything. rpm/zypper use the keys in the rpm db instead.
%prep
rm -f foobarnosuchfileordirectory
#%setup
%setup -qcT
%build
cp %SOURCE98 .
cp %SOURCE99 .
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
install %{SOURCE0} $RPM_BUILD_ROOT/%{susering}
install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
mkdir keys
cd keys
$RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering}
cd ..
cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
touch $RPM_BUILD_ROOT/%{pubring}
touch $RPM_BUILD_ROOT/%{pubring}~
mkdir -p $RPM_BUILD_ROOT%{keydir}
for i in %sources; do
case "$i" in
*/gpg-pubkey-*.asc)
install -m 644 "$i" $RPM_BUILD_ROOT%{keydir}
;;
esac
done
install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
%files
%defattr(644,root,root)
%attr(755,root,root) %dir /usr/lib/rpm/gnupg
%attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs
/usr/lib/rpm/gnupg/keys
%config /%{susering}
%ghost /%{pubring}
%ghost /%{pubring}~
%post
if [ ! -f %{pubring} ]; then
touch %{pubring}
fi
echo -n "importing SuSE build key to rpm keyring... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
echo "suse-build-key::post: cannot make temporary file. Fatal error."
exit 20
fi
if [ -z "$HOME" ]; then
HOME=/root
export HOME
fi
if [ ! -d "$HOME" ]; then
mkdir "$HOME"
fi
gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
# no kidding... gpg won't initialize correctly without being called twice.
gpg < /dev/null > /dev/null 2>&1 || true
gpg < /dev/null > /dev/null 2>&1 || true
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
--keyring %{susering} --export -a > $TF
a="$?"
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
--keyring %{pubring} --import < $TF
b="$?"
rm -f "$TF"
if [ "$a" = 0 -a "$b" = 0 ]; then
echo "done."
else
echo "importing the key from the file %{susering}"
echo "returned an error. This should not happen. It may not be possible"
echo "to properly verify the authenticity of rpm packages from SuSE sources."
echo "The keyring containing the SuSE rpm package signing key can be found"
echo "in the root directory of the first CD (DVD) of your SuSE product."
exit -1
fi
### import suse package build key to roots gpg keyring
if test -f root/.gnupg/pubring.gpg ; then
chroot . usr/bin/gpg --export --armor --no-default-keyring \
--keyring %{susering} build@suse.de \
| chroot . usr/bin/gpg --import || true
if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then
echo "gpg import for build@suse.de failed, please import manually" >&2
fi
else
cp %{susering} root/.gnupg/pubring.gpg
fi
chmod 600 root/.gnupg/pubring.gpg
%doc security_at_suse_de.asc suse_ptf_key.asc
%attr(755,root,root) %dir %{_prefix}/lib/rpm/gnupg
%attr(755,root,root) %dir %{keydir}
%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs
%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc
%{keydir}/gpg-pubkey-39db7c82-510a966b.asc
%changelog

26
suse_ptf_key.asc Normal file
View File

@ -0,0 +1,26 @@
6C74CE73B37B98A9 SUSE PTF Signing Key <support@suse.com>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQGiBEKCDxcRBAC8XEA/xoFsF6c9QHU0aA3JBCQC3Jhpdv1+YzZOHDaSUziQ2ZL8
12pt5oMg7qE0i5j0+zwL/0TUi4W8tar86a9gxRHzWgSkTiz4H2MvXSy5Qrnu1+Ho
MCAWMEL4s2JftKVu0XFRuT4nNHVi80JZxRzmF2EBLvtz7jrRHT/N/5A4FwCg+PE1
wR2NC89ux+VfxoR8UzQu4wUD/2ZBslJyLYE6rpUFYHceSK3gOlPSIlCn3OYlVDY3
AgYsqYH5gEOHxQeqigukk+tffyHIr5wdzTgTrPeL7v+TpgVHuRRuw7Dl9oi1PyoW
/PzNPjNSlXQCLUocY/ctCjre+WxjiewDPqmYVYS8Ie2DZMTFJ4w27mazfTJYgcPl
mmwqA/oDFSaXdRl0csqWi6XvjbUJKSVlDc8IuulB1IRLNk94+xKoDtC2xxp8zEVB
xBqmbT6pM1k3+KVzGL7oSHl4uMqzOkbRfKgKL/6ahJnLAGJPfPdFeIyGmvWDG915
TE8oMesJq/MSaohxdJ6dywkhjd19Cbdts02scIfSu5yzMXHCm7QnU1VTRSBQVEYg
U2lnbmluZyBLZXkgPHN1cHBvcnRAc3VzZS5jb20+iGIEExECACICGwMECwcDAgMV
AgMDFgIBAh4BAheABQJL4BoaBQkQ4tkDAAoJEGx0znOze5ipiDoAn0YH3g6kFZfO
BcxASwMft1iuWVT5AKCQFQ1deyNwXvo+eCH/dGpt5nj1d7kBDQRCgg8ZEAQAkwPg
vF3r+7NNqgJyiW4w5yGXgu5H4Kmd9wXAT6sUOPU+4GRJJep0dUxHgdis2BboBDlO
YVWE061pua8Ut6mA5Rx0/KOCeTL3SJtXMcknop/4fSLfnPN0/bsbALAN7RtmEJnV
QXba7C/jY04J2p0wtWfF9Zh2/O0EaPmiVjkakHMAAwUD/0T/fMgYwD1ROk1aB7KW
0bcro2hYfXCPTZtpZI6qfRbwKr8SQ6wSSWRi+p1hrtY6SBSNqw3mW4K42bPewanI
KdGc9mDt2ecQK5TAScL6VKwPvR0LK5GXJsYZjm1/uf4dWAfoy5T8jqObjL+uavtd
RKcJVbquhZwMeAeOqiPaCFMliEwEGBECAAwFAkvgGiYFCRDi2Q0ACgkQbHTOc7N7
mKndUgCfUmb1pAbgOJ3axZbe9HSwAb/BxlEAoKriKwSDH8XsRPQSp493OfB5UDpP
=GBuj
-----END PGP PUBLIC KEY BLOCK-----