Hi Manfred, Am Mittwoch, den 14.10.2020, 10:36 +0200 schrieb Manfred Hollstein: > yesterday I got the message from "zypper ref -f" that my project > signing > key on PMBS will expire in 8 days. I then used the following command > to > extend the key's lifetime: > > osc -A pmbs signkey --extend home:manfred.h > > where "pmbs" is an alias for "https://pmbs-api.links2linux.de" in my > ~/.oscrc > > Although running that command resulted in > > <status code="ok" /> > > it didn't appear to have changed anything as "zypper ref -f" today now > shows this for my key: > > The gpg key signing file 'repomd.xml' will expire in 7 days. > Repository: home:manfred.h:pmbs.obs > Key Name: home:manfred.h OBS Project <home: > manfre...@packman.links2linux.de> > Key Fingerprint: 7D2E3C09 B9D9BE6A 10EEA70D BEBA8597 97A18328 > Key Created: Mon Aug 13 15:16:23 2018 > Key Expires: Wed Oct 21 15:16:23 2020 (expires in 7 days) > Rpm Name: gpg-pubkey-97a18328-5b7184a7 > > @Stefan, can you please check if key managemend in PMBS works as > expected?
Yes, apart from the reported problem with MakeMKV there should be no other problem - at least I hope so :) GPG key handling in OBS should be automatic, usually there is no need to manually extend the key lifetime - as far as I know, and have gathered from OBS developers, mailinglist and IRC chat. Upon publishing of new packages the repository is recreated. If the GPG key is expired (or perhaps near expiring - IDK), the key's lifetime is extended, and the repo is signed with the extended key. Of course you can manually extend the key for your repo, and you did so successfully. Have a look at https://pmbs.links2linux.de/project/show/home:manfred.h and click on the "GPG Key / SSL Certificate" link. This will show you the expiry date of Dec 23rd, 2022, and gives your the opportunity to download the public key. Your repository on the other hand is still signed with the "old"/non- extended key. Once a package is rebuild and published - the package has to be changed(!) - the repo is signed with the extended key. This behavior is probably a shortcoming in OBS, but usually - normally - actually - erm, how should I phrase this - packages inside a repo are "live", and there is no week going by without changes to packages in repos :) so you will not approach the problem with an expiring key. It happens, though, when you have a repo with more or less static packages inside, which do not get updated or changed due to rebuilds. Submit a "nonsense" package, let it build and publish, and delete the package. Then your repo will be signed with the extended key. Greetings, Stefan -- Stefan Botter zu Hause Bremen
signature.asc
Description: This is a digitally signed message part
_______________________________________________ Packman mailing list Packman@links2linux.de http://lists.links2linux.de/cgi-bin/mailman/listinfo/packman