Hi Stefan, On Wed, 14 Oct 2020, 13:32:47 +0200, Stefan Botter wrote: > Hi Manfred, > > Am Mittwoch, den 14.10.2020, 10:36 +0200 schrieb Manfred Hollstein: > > yesterday I got the message from "zypper ref -f" that my project > > signing > > key on PMBS will expire in 8 days. I then used the following command > > to > > extend the key's lifetime: > > > > osc -A pmbs signkey --extend home:manfred.h > > > > where "pmbs" is an alias for "https://pmbs-api.links2linux.de"; in my > > ~/.oscrc > > > > Although running that command resulted in > > > > <status code="ok" /> > > > > it didn't appear to have changed anything as "zypper ref -f" today now > > shows this for my key: > > > > The gpg key signing file 'repomd.xml' will expire in 7 days. > > Repository: home:manfred.h:pmbs.obs > > Key Name: home:manfred.h OBS Project <home: > > manfre...@packman.links2linux.de> > > Key Fingerprint: 7D2E3C09 B9D9BE6A 10EEA70D BEBA8597 97A18328 > > Key Created: Mon Aug 13 15:16:23 2018 > > Key Expires: Wed Oct 21 15:16:23 2020 (expires in 7 days) > > Rpm Name: gpg-pubkey-97a18328-5b7184a7 > > > > @Stefan, can you please check if key managemend in PMBS works as > > expected? > > Yes, apart from the reported problem with MakeMKV there should be no > other problem - at least I hope so :) > > GPG key handling in OBS should be automatic, usually there is no need to > manually extend the key lifetime - as far as I know, and have gathered > from OBS developers, mailinglist and IRC chat. > Upon publishing of new packages the repository is recreated. If the GPG > key is expired (or perhaps near expiring - IDK), the key's lifetime is > extended, and the repo is signed with the extended key. > > Of course you can manually extend the key for your repo, and you did so > successfully. Have a look at > https://pmbs.links2linux.de/project/show/home:manfred.h > and click on the "GPG Key / SSL Certificate" link. This will show you > the expiry date of Dec 23rd, 2022, and gives your the opportunity to > download the public key. > > Your repository on the other hand is still signed with the "old"/non- > extended key. Once a package is rebuild and published - the package has > to be changed(!) - the repo is signed with the extended key. > This behavior is probably a shortcoming in OBS, but usually - normally - > actually - erm, how should I phrase this - packages inside a repo are > "live", and there is no week going by without changes to packages in > repos :) so you will not approach the problem with an expiring key. > It happens, though, when you have a repo with more or less static > packages inside, which do not get updated or changed due to rebuilds.
thanks a lot for the great explanation! Indeed, I mostly use my repo to check newer Kodi based stuff, which apparently happened quite some time ago... > Submit a "nonsense" package, let it build and publish, and delete the > package. Then your repo will be signed with the extended key. Will do so! Thanks again for your great work! > Greetings, > > Stefan Cheers. l8er manfred
signature.asc
Description: PGP signature
_______________________________________________ Packman mailing list Packman@links2linux.de http://lists.links2linux.de/cgi-bin/mailman/listinfo/packman
