Yes thanks cos for getting this centos stuff figured out.!
> On Sep 3, 2015, at 12:35 PM, Andrew Purtell <[email protected]> wrote: > > Thanks for sticking with it Cos. That's an annoying bug. > > >> On Wed, Sep 2, 2015 at 9:31 PM, Konstantin Boudnik <[email protected]> wrote: >> >> Ok, as I suspected there's a long standing (at least from 2006) bug in RPM >> that doesn't allow to validate RPM signature if a subkey has been used for >> signing. >> >> I ended up generating a new key pair (just for this purpose) and resigning >> all >> binaries with it; then resyncing everything with s3. I also have updated >> KEYS >> file with the new one. I have quickly ran a test on centos7 by installing >> bigtop-utils on an empty container and everything worked, including >> automatic >> import of the keys and the validation/installation of the package. Looks >> like >> we are in the clear. >> >> Please shout if you see otherwise. Thanks everyone for your patience! >> Cos >> >>> On Wed, Sep 02, 2015 at 02:27PM, Konstantin Boudnik wrote: >>> I think there's a difference between how you've signed the pkgs and how >> I did >>> it. I signed with sub-key (as I mentioned before) and yum doesn't >> recognize >>> it. Seemingly, it expects that the master key was used for signing. >>> >>> Also, in your repo file below >>> gpgkey=http://archive.apache.org/dist/bigtop/KEYS >>> points to the old keys. The location should be >>> gpgkey=https://dist.apache.org/repos/dist/release/bigtop/KEYS >>> >>> I am pretty sure I have exported my key with --armor option back in the >> day. >>> But I will repeat it and see if I can fix the situation, which I also >> observer >>> following your steps. If that's the only issue I will update the KEYS >> and we >>> should be completed by tonight ;) >>> >>> Thanks for your help! >>> Cos >>> >>>> On Wed, Sep 02, 2015 at 03:11PM, Evans Ye wrote: >>>> This is the same issue we're trying to solve in the mailing thread >>>> "convenience artifacts are signed and uploaded". I've built a sample >> repo >>>> which works properly by using my own key "Evans Ye" to sign and to >> export >>>> GPG KEY. So I believe the following steps should be the right way to >> sign >>>> packages and export the gpgkey: >>>> >>>> $ find -name *.rpm | xargs rpm --define="%_gpg_name Evans Ye" --addsign >>>> >>>> $ gpg --armor --output KEYS --export 'Evans Ye' >>>> I've verified that the hash is matched now in our official repo. >>>> So I guess the main issue left is using non-armored gpg key, if we >> manually >>>> import the gpgkey in the repo file: >>>> >>>> [bigtop] >>>> name=Bigtop >>>> enabled=1 >>>> gpgcheck=1 >>>> type=NONE >>>> baseurl=http://bigtop.s3.amazonaws.com/releases/1.0.0/centos/6/x86_64 >>>> gpgkey=http://archive.apache.org/dist/bigtop/KEYS >>>> >>>> [root@48723d98dc1b ~]# rpm --import >>>> https://dist.apache.org/repos/dist/release/bigtop/KEYS >>>> error: https://dist.apache.org/repos/dist/release/bigtop/KEYS: key 2 >> not an >>>> armored public key. >>>> >>>> It gets error. >>>> However, my own exported armored key can be imported without an error. >>>> That's the different. >>>> >>>> Can you confirm that the gpgkey( >> http://archive.apache.org/dist/bigtop/KEYS) >>>> is exported with --armor flag? >>>> >>>> 2015-09-02 13:25 GMT+08:00 Konstantin Boudnik <[email protected]>: >>>> >>>>> Looks like I have figured out what's wrong with my key. And it is >>>>> _nothing_. >>>>> However, it seems that I can not sign RPMs with subkey as YUM can >> not find >>>>> the >>>>> key while importing. Can anyone confirm or disprove my train of >> thoughts? >>>>> >>>>> Thanks! >>>>> Cos >>>>> >>>>>> On Wed, Sep 02, 2015 at 07:42AM, Konstantin Boudnik wrote: >>>>>> I've resynced the repodata once again and I don't see this issue >> on the >>>>>> centos7 anymore. However, yum still complains about the key being >> no >>>>>> available, but there's a workaround by setting gpgcheck=0 And I am >> going >>>>> to >>>>>> figure out what to do with it and why my key isn't working as >> expected. >>>>>> >>>>>> I also have discovered that the gpgkey file URL is using the old >>>>> incubation >>>>>> KEYS. Fixed that as well. >>>>>> >>>>>> Please let me know if you still see the issue with checksums >> mismatch. >>>>>> Thanks, >>>>>> Cos >>>>>> >>>>>>> On Tue, Sep 01, 2015 at 12:44PM, Konstantin Boudnik wrote: >>>>>>> I think this is the consequences of me fighting with the package >>>>> signing... ;( >>>>>>> A couple of days ago I have re-ran 'createrepo' for all the >> RPM-based >>>>> distros >>>>>>> and uploaded new repo files to the release. Not sure why the >> checksums >>>>> differ >>>>>>> now... >>>>>>> >>>>>>> I will take a look into this again tonight. >>>>>>> Cos >>>>>>> >>>>>>>> On Tue, Sep 01, 2015 at 09:39PM, Olaf Flebbe wrote: >>>>>>>> I can second it: >>>>>>>> >>>>>>>> I added to /etc/yum.repo.d/meins.repo >>>>>>>> >>>>>>>> [meins] >>>>>>>> name=Bigtop epo >>>>>>>> baseurl= >>>>> http://bigtop.s3.amazonaws.com/releases/1.0.0/centos/7/x86_64/ >>>>>>>> enabled=1 >>>>>>>> gpgcheck=0 >>>>>>>> priority=1 >>>>>>>> >>>>>>>> and got >>>>>>>> ............ >>>>>>>> Downloading packages: >>>>>>>> hbase-0.98.12-1.el7.centos.noa FAILED >>>>> =============================================-] 849 kB/s >> | 62 >>>>> MB 00:00:00 ETA >> http://bigtop.s3.amazonaws.com/releases/1.0.0/centos/7/x86_64/hbase/noarch/hbase-0.98.12-1.el7.centos.noarch.rpm >> : >>>>> [Errno -1] Package does not match intended download. Suggestion: run >> yum >>>>> --enablerepo=meins clean metadata >>>>>>>> Trying other mirror. >>>>>>>> ............. >>>>>>>> >>>>>>>> Olaf > > > > -- > Best regards, > > - Andy > > Problems worthy of attack prove their worth by hitting back. - Piet Hein > (via Tom White)
