1
0

Accepting request 518537 from home:msmeissn:branches:Base:System

- extend the build@suse.de product key. (bsc#1014151)
  pub  2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
  uid                            SuSE Package Signing Key <build@suse.de>

- use dumpsigs script from openSUSE to merge code 

- renamed security_at_suse_de.asc to security_at_suse_de_old.asc
- security_at_suse_de.asc: new 4096 bit RSA key.
  pub  4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de>
  bnc#899509

- create suse-build-key.gpg during build.
- Remove old keys from keyring. (fate#314767)
  Keys currently inside the RPM trusted keyring:
  - pub  2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
  - pub  2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
- Various keys are moved to the documentation area
  (/usr/share/doc/packages/suse-build-key)
  - build-at-suse-sle11.asc: the old SUSE Linux Enterprise 11 key.
    if SUSE Linux Enterprise 11 packages need to be verified on
    a SUSE Linux Enterprise 12 system.
  - suse_ptf_key.asc: The suse ptf key. For verification of provided PTFs.
  - security_at_suse_de.asc: Use only for email encryption and
    verification purposes when contacting our security contact address
    security@suse.de

OBS-URL: https://build.opensuse.org/request/show/518537
OBS-URL: https://build.opensuse.org/package/show/Base:System/suse-build-key?expand=0&rev=26
This commit is contained in:
Marcus Meissner 2017-08-24 13:29:11 +00:00 committed by Git OBS Bridge
parent eb50411aa2
commit be84b3b4d8
6 changed files with 175 additions and 53 deletions

View File

@ -1,21 +1,50 @@
#!/usr/bin/perl
#!/usr/bin/perl -w
# dump all keys contained in the keyring specified as argument
my $keyring='';
use strict;
$keyring="--no-default-keyring --keyring=$ARGV[0]" if $ARGV[0] ne '';
my @keyring;
die "must specify keyring\n" unless @ARGV;
my $file = shift @ARGV;
unless ($file =~ /^\//) {
use Cwd qw/abs_path/;
$file = abs_path($file);
}
# XXX: workaround for colons in obs project names o_O
if ($file =~ /:/) {
use File::Temp qw/tempdir/;
my $tmpdir = tempdir( CLEANUP => 1);
my $nn = $file;
$nn =~ s/.*\///;
$nn = $tmpdir.'/'.$nn;
symlink($file, $nn) or die "failed to symlink: $!\n";
$file = $nn;
}
@keyring = ('--no-default-keyring', '--keyring='.$file);
my @line;
my $ver;
my $rel;
my $name;
my %names;
open(GPG, "gpg $keyring --no-secmem-warning --list-sigs --list-options show-keyring --fixed-list-mode --with-colons |");
my @cmd = qw/--no-secmem-warning --no-options --list-sigs --list-options show-keyring --fixed-list-mode --with-colons/;
unshift @cmd, @keyring;
unshift @cmd, 'gpg';
#print join(' ', @cmd), "\n";
open(GPG, '-|', @cmd);
while (<GPG>) {
chomp;
next unless /^pub:/;
@line = split(':', $_);
my $id = $line[4];
$_ = <GPG>;
$_ = <GPG> if /^fpr:/;
chomp;
next unless /^uid:/;
@line = split(':', $_);
@ -23,7 +52,7 @@ while (<GPG>) {
while (1) {
$_ = <GPG>;
chomp;
die unless /^sig:/;
next unless /^sig:/;
@line = split(':', $_);
next if $line[4] ne $id;
$ver = lc($id);
@ -31,12 +60,33 @@ while (<GPG>) {
$rel = sprintf("%08x", $line[5]);
last;
}
$names{"gpg-pubkey-$ver-$rel"} = $id;
$names{"gpg-pubkey-$ver-$rel"} = [ $id, $name ];
}
close GPG;
my $n;
for $n (sort keys %names) {
print "writing $n.asc\n";
system("gpg $keyring --no-secmem-warning --export -a '$names{$n}' >$n.asc");
@cmd = qw/--no-options --no-secmem-warning --export-options export-minimal --export -a/;
push @cmd, $names{$n}[0];
unshift @cmd, @keyring;
unshift @cmd, 'gpg';
my $fn = $n.".asc";
unless (open(O, '>', $fn)) {
warn "failed to open $fn: $!";
next;
}
printf O "%s %s\n\n", $names{$n}[0], $names{$n}[1];
print "writing $fn\n";
#print join(' ', @cmd), "\n";
unless (open(GPG, '-|', @cmd)) {
warn "failed to exec gpg: $!";
close O;
unlink $fn;
next;
}
while(<GPG>) {
print O;
}
close GPG;
close O;
}

View File

@ -1,21 +0,0 @@
70AF9E8139DB7C82 SuSE Package Signing Key <build@suse.de>
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.19 (GNU/Linux)
mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYFAlEKlmsCGwMFCQeE
zgAGCwkIBwMCBBUCCAMEFgIDAQIeAQIXgAAKCRBwr56BOdt8gomGCAC13Pi60I6O
8GJ03BQrmVyyJrDcwJxxqw0HmIENf3rDLMYTBuduM3mNm5Fy2Gl2IuWD9mHvckQs
0xa+A7mAwHXhIXWFCrZWyRH16w93BzjjLGiMMKimE8mg4XcaRL1FJhxGqq7FpLga
XpQofkw0yFcavuubETpDR3w4qiRVsNKq4RM00pMCpTpJDWamFJm/oOUmBE45Q071
v9C4oQHPsBNK/yMtlRssel815Xx4lbJIpKAg4BRtyBHWCzH/gVRGhYA8xDs/DEvu
Z9mswBdniP+K1XSkr+NtxFvtkAy/C2Q2qk3sqpCMOt3MDGTyBgqIoplE/4XRCis9
d7b1v1zv4/hN
=sQXd
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -0,0 +1,19 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.15 (GNU/Linux)
mQENBFEKlmsBCADbpZZbbSC5Zi+HxCR/ynYsVxU5JNNiSSZabN5GMgc9Z0hxeXxp
YWvFoE/4n0+IXIsp83iKvxf06Eu8je/DXp0lMqDZu7WiT3XXAlkOPSNV4akHTDoY
91SJaZCpgUJ7K1QXOPABNbREsAMN1a7rxBowjNjBUyiTJ2YuvQRLtGdK1kExsVma
hieh/QxpoDyYd5w/aky3z23erCoEd+OPfAqEHd5tQIa6LOosa63BSCEl3milJ7J9
vDmoGPAoS6ui7S2R5X4/+PLN8Mm2kOBrFjhmL93LX0mrGCMxsNsKgP6zabYKQEb8
L028SXvl7EGoA+Vw5Vd3wIGbM73PfbgNrXjfABEBAAG0KFN1U0UgUGFja2FnZSBT
aWduaW5nIEtleSA8YnVpbGRAc3VzZS5kZT6JATwEEwECACYCGwMGCwkIBwMCBBUC
CAMEFgIDAQIeAQIXgAUCWEfrHwUJDsIitAAKCRBwr56BOdt8gpqUB/wPSSS5BcDu
Oi4n02cj4Hdt7WITKBjjo0lG1fXG1ppx1wOST+s8FertMVFY53TW6FGjcYtwVOIq
rsMYiV6kf1NxUV/jcAy7VmC5EZnO0R/D3sT4Oh5hsLtERauZolK5BZmd0S51Qa8e
TxZ5mX9PL2i3s/ShETc30drf83ugc7B4yZPNQWXNDPgGcC+hEeC5qw48RzHYIpUt
RzHmefR5Z3ioTUbDlzy+SGP2uA7mhR4Lfk/df5fYxWfCoKlyGjtrvA65cB+Pksyn
xrAeBuB+vBM+KnDrxW2Sn4AbWkzH//dfz9OJDJu4UM91hb7qxM0OkrXHQV3iNqzg
MDEhky/9NqMy
=GdP5
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,5 +1,3 @@
77B2E6003D25D3D9 SuSE Security Team <security@suse.de>
The block below contains the public key of the SUSE Security team.
It's used to sign security advisories and other imporant
announcents concerning the distribution. To be able to verify
@ -7,22 +5,55 @@ signatures made with that key you need to import this file into your
keyring using the following command:
gpg --import security_at_suse_de.asc
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.16 (GNU/Linux)
Version: GnuPG v2
mQENAzbhLQQAAAEIAKAkXHe0lWRBXLpn38hMHy03F0I4Sszmoc8aaKJrhfhyMlOA
BqvklPLE2f9UrI4Xc860gH79ZREwAgPt0pi6+SleNFLNcNFAuuHMLQOOsaMFatbz
JR9i4m/lf6q929YROu5zB48rBAlcfTm+IBbijaEdnqpwGib45wE/Cfy6FAttBHQh
1Kp+r/jPbf1mYAvljUfHKuvbg8t2EIQz/5yGp+n5trn9pElfQO2cRBq8LFpf1l+U
P7EKjFmlOq+Gs/fF98/dP3DfniSd78LQPq5vp8RL8nr/o2i7jkAQ33m4f1wOBWd+
cZovrKXYlXiR+Bf7m2hpZo+/sAzhd7LmAD0l09kABRG0JVN1U0UgU2VjdXJpdHkg
VGVhbSA8c2VjdXJpdHlAc3VzZS5kZT6JARUDBRA24S0Ed7LmAD0l09kBAW04B/4p
WH3f1vQn3i6/+SmDjGzUu2GWGq6Fsdwo2hVM2ym6CILeow/K9JfhdwGvY8LRxWRL
hn09j2IJ9P7H1Yz3qDf10AX6V7YILHtchKT1dcngCkTLmDgC4rs1iAAl3f089sRG
BafGPGKv2DQjHfR1LfRtbf0P7c09Tkej1MP8HtQMW9hPkBYeXcwbCjdrVGFOzqx+
AvvJDdT6a+oyRMTFlvmZ83UV5pgoyimgjhWnM1V4bFBYjPrtWMkdXJSUXbR6Q7Pi
RZWCzGRzwbaxqpl3rK/YTCphOLwEMB27B4/fcqtBzgoMOiaZA0M5fFoo54KgRIh0
zinsSx2OrWgvSiLEXXYK
=m7kg
mQINBFQtF/8BEAC682QMnBjVnGNGo8PcdoGgqQcfdtaBMFhpIfFp0dTdcW7vMwJV
PDV1TzOvtAlMSsUo6I+sIYG0PAnc51xh/xOAXzKrz0Qd0MEGVsT98yHB6W3XGRuX
f88FycgIzH03En92yZdBUTV1g3nBM3FFuwjT78quRCzpIMdHtEg4VFFam90TbrLU
F5ApHNqQf3yqbb6ddG5pdwB1pMoG7Zz4XaK/v0D20U8OxjrWTsbDRgWarIWwoGD4
VhYqC891fHeoVKmYRYsrTJXqdCoArp/eofGHG/zhVA+MEHsNvPBhW+YxxpNO7MI1
VjwIKFfO9jl3H3m4yOJ3BOaSpxCDb3LwKdSGCYvrCmGhsJpOyG33t/nwzhsN3R3D
OBg3YQQ17rZqcF9H89UauFaRDS1VxD/3GSCpmCAt39NW2EHaTOllcxwGkd61spoB
Q+g10kmiUa1DxWiN0lQnFDdpu8E8SaOnaRKjQy9KDFLxc9GCZXzOceP8wUjWBeKi
yAVesw562vRS+anpqbxeF1qzYJ78OVzjfFbdkxRecy4HbyaMt31YIPflSeEHrUa3
Zrl8cXmJvcNZRbGeva++gCmzjYPpFSs9bAVWuFqY0UT3PbLYruYhyYyGv1x5Kwvb
TYWqLsQmHQxGp61zI97YbAz/XzLeAFrvzW2BnsEeLNXJG0lBShjalHLzqwARAQAB
tCVTVVNFIFNlY3VyaXR5IFRlYW0gPHNlY3VyaXR5QHN1c2UuZGU+iQI5BBMBAgAj
BQJULRf/AhsDBwsJCAcDAgEGFQgCCQoLBBYCAwECHgECF4AACgkQWPxYsTF81QL5
WA//cU8pptQ5ZwfI4edi2faNgU4qBF1mJQcchXVyQFcbdHpwNsHkqYFqVK98LwBJ
3sQUUVwUFdt7uauLtPMYONDeroy95DXhwvjsD891adOzehhAn3DTFUYYTPgs/x1b
UoXe5LShjinGi95HRjs5LpKyHn67pr91zbMDA0dhHku9mkD2kg8erTjtLlutCgRd
l25/AUsWi5qG2IZ1GK/GmmpnerD5R5jVc+MLJPW37pSUfS/BdmbK4XmZylpHF53a
hsUlG6wQM7H1OTyCYWA71jJ5ydeBSlrW6Jt4skM0Lipcr2rmLz/CVI/R0CTADyeI
41mOSmKOXQnlM0A3BGhLPb4JZFSOu9r+LvRq8u9sMICFqL7OEhjSHQqQ3Oe4sQWG
vJY1IcP3UW1byG/8MhBTp/16Wxd0Nv44JE4WS2VFVopaso7jmrnv/0JS7b4WwgE8
OLi3Et4OpeXZEOY9LAYOQc1fdl+leh5qk7TkgNwAn69wdZYXXB3rS1Q6VxMFLyin
xaepwIlx0jsoG608dT03kv9EUx/hwvZrwnDyeoPtB1+HRXw1o6p/zU8B3r5fqes8
Ah28Q1sD9c0ojH1gWcodQrhfkqLubgRJHUTTzO4KBwtTqBstcIR1kamOyA4oDbwK
tT0KsnU9DtJgqGkw0/nlOOgVXvsKWFXgZj4BcHct+tIO4ce5Ag0EVC0X/wEQAMjU
PGzcmaH8TZ3JExvUiK8zXW5pwnYVyxyMkdn8lWMmPdLI7ljj2OIqzXoYuT4nNmRZ
+zq4ucpd8DwAwim/cfi3bs/xqMNKkC1AybZW/KiEDTHll9Gc0cSa4DBQjdKjm839
86kz0nzXxWXvBCqEyVVI1YoDAHTcAvMHkOZKc33kv6PS73Gymm78Em1ychx2u6UF
cQ248QFWXOPXsRaLVmNicuD/rEPcaKr8FomYYtqiGr88sv06FF0EdIa1aXqPVQU1
IxqH3pAn6oQ2aZUe5jzydhMzhiYGfZtO+ePxE7mi2Vr/m3iurVfhusqc69Cxfd4Z
fCReSAQFbJ7Vf58c+rRbIp3NkZaID8Fo9jINC9ogNPDxVLbCSmxTnDpR9IdGi9oZ
VwgcWdQ9rbspOClntbE6GonA++OTEkMOTOFEgGfd7CEuEAAxYc3uchhlSN+LfQja
B24UgGKHP5QEvjclBOKjDWMfsOwyqdDBkGb0rHCE3ohUnA6QQpz+zSmF0oXmGwAQ
Jj3YhT/4Z/VapIjlMu9ZaPoT8dGUaDCUeJa4Kbg2krzMolKDNoZeWL5uOJk64+XU
5JsYBofMrQt3Esv+YGyhD2krYcs/7jaj+BLaJu4+asvXe9pAQTdGCNMoO/qiPsJ6
gZLnHUjuxMF2eNvFqrYHXCILFFRDYCSiW1RfhPVJABEBAAGJAh8EGAECAAkFAlQt
F/8CGwwACgkQWPxYsTF81QJVJBAAnuE49ccyVXA3uWquzleHx1ioyVPuYKeE1Lzw
ibzdnrOPEYVMyNJbr3AcRofH4++KE5AdV9CUYYsP7pbix5hUcG0UdtT10QxAks/Z
e2k7gTXS3Fgu8q5+q4diDhh1GtiUKX+lsyN4MA6HhzPzACIy7Iy2LlRLV1oqYEMs
UPF2yEA+04r/UJAhKLshE0evA6Kkkq4MXvPcPxbyhZx+1S6/++dS81I+6+EEGyzM
+8GFn50Op84ULS/eSjVusnha/HVz5mulatWw1yV8hdVyKVqDT/GPOcJ3+MnWHIva
7NU3RvySgie7ouxM3M5U1GO/bfL7wmAJvJ2mPhoGoSJ6ir5uhMV1CRvMxDVEqomm
ozxxDGJZ4O8dfpfs9vKIhqeEi9Pk4ZtFIHBEbHiRf1TCpeV13kh9eGpbnSCjTZvD
HcjR78kQM76XH1JPCH72AhPbePOrI/OmHvvrVyQRN24cXvAzK8L4a2c0FqbrivwX
7bFHjZcfsjujYQb1QCF9zomtDXQAkWhts0I+tQcegUfQrrUlGFAMuwO/Lts6KL7G
vyd7dmv07xkbnlwJih4CIKvbImi93fRFMu763QzDhiAQcUohTROoQjZKoJRsRTn8
czy7l6bFqw5kBgGh0XxyWzdIDIZfyfmb2q6cdEeeajP8g92Hknarmy7UXX7a8eMa
WzjAfBA=
=zsa2
-----END PGP PUBLIC KEY BLOCK-----

View File

@ -1,3 +1,24 @@
-------------------------------------------------------------------
Wed Dec 7 16:35:05 UTC 2016 - meissner@suse.com
- extend the build@suse.de product key. (bsc#1014151)
pub 2048R/39DB7C82 2013-01-31 [expires: 2020-12-06]
uid SuSE Package Signing Key <build@suse.de>
-------------------------------------------------------------------
Tue Nov 29 12:54:46 CET 2016 - ro@suse.de
- use dumpsigs script from openSUSE to merge code
-------------------------------------------------------------------
Thu Oct 2 12:45:05 UTC 2014 - meissner@suse.com
- renamed security_at_suse_de.asc to security_at_suse_de_old.asc
- security_at_suse_de.asc: new 4096 bit RSA key.
pub 4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de>
bnc#899509
-------------------------------------------------------------------
Fri Aug 29 08:28:03 UTC 2014 - meissner@suse.com
@ -5,6 +26,24 @@ Fri Aug 29 08:28:03 UTC 2014 - meissner@suse.com
- suse-build-key.gpg blob dropped
- ship seperate files
-------------------------------------------------------------------
Mon Feb 10 09:57:50 UTC 2014 - meissner@suse.com
- create suse-build-key.gpg during build.
- Remove old keys from keyring. (fate#314767)
Keys currently inside the RPM trusted keyring:
- pub 2048R/39DB7C82 SuSE Package Signing Key <build@suse.de>
- pub 2048R/50A3DD1C SuSE Package Signing Key (reserve key) <build@suse.de>
- Various keys are moved to the documentation area
(/usr/share/doc/packages/suse-build-key)
- build-at-suse-sle11.asc: the old SUSE Linux Enterprise 11 key.
if SUSE Linux Enterprise 11 packages need to be verified on
a SUSE Linux Enterprise 12 system.
- suse_ptf_key.asc: The suse ptf key. For verification of provided PTFs.
- security_at_suse_de.asc: Use only for email encryption and
verification purposes when contacting our security contact address
security@suse.de
-------------------------------------------------------------------
Mon Jan 13 15:01:24 UTC 2014 - meissner@suse.com

View File

@ -1,7 +1,7 @@
#
# spec file for package suse-build-key
#
# Copyright (c) 2014 SUSE LINUX Products GmbH, Nuernberg, Germany.
# Copyright (c) 2017 SUSE LINUX GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@ -26,9 +26,11 @@ License: GPL-2.0+
Group: System/Packages
Version: 12.0
Release: 0
# pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
# The main package signing key.
Source0: gpg-pubkey-39db7c82-510a966b.asc
Source0: gpg-pubkey-39db7c82-5847eb1f.asc
# pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
# Fallback key if main key gets lost.
Source1: gpg-pubkey-50a3dd1c-50f35137.asc
@ -36,17 +38,19 @@ Source1: gpg-pubkey-50a3dd1c-50f35137.asc
# pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
# SLES 10 key.
Source2: gpg-pubkey-307e3d54-4be01a65.asc
# pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
# SUSE supplied PTF (program temporary fixes) are signed by this key.
# supplied to be not imported by default
Source98: suse_ptf_key.asc
# pub 2048R/3D25D3D9 1999-03-06 SuSE Security Team <security@suse.de>
# security@suse.de communication key.
# Only used for E-Mail encryption and signing to/from security@suse.de.
# pub 4096R/317CD502 2014-10-02 SUSE Security Team <security@suse.de>
# sub 4096R/0DE80E03 2014-10-02
# Only used for email communication
Source99: security_at_suse_de.asc
Source100: dumpsigs
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%define keydir %{_prefix}/lib/rpm/gnupg/keys
@ -85,7 +89,7 @@ install -m 755 %{SOURCE100} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg
%attr(755,root,root) %dir %{keydir}
%attr(755,root,root) %{_prefix}/lib/rpm/gnupg/dumpsigs
%{keydir}/gpg-pubkey-50a3dd1c-50f35137.asc
%{keydir}/gpg-pubkey-39db7c82-510a966b.asc
%{keydir}/gpg-pubkey-39db7c82-5847eb1f.asc
%{keydir}/gpg-pubkey-307e3d54-4be01a65.asc
%changelog