GPG signing RPM packages : must not have subkeys

All of lore.kernel.org
 help / color / mirror / Atom feed

* GPG signing RPM packages : must not have subkeys
@ 2016-03-15 17:28 Loic Dachary
  2016-03-15 19:25 ` Martin Palma
  0 siblings, 1 reply; 4+ messages in thread
From: Loic Dachary @ 2016-03-15 17:28 UTC (permalink / raw)
  To: Martin Palma; +Cc: Ceph Development

Hi Martin,

It turns out that the key created by 

KEY="$HOME/.ceph-workbench/release-team-key.asc"
if ! test -f $KEY ; then
  printf "Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Release Team\nName-Email: contact@ceph.com\nExpire-Date: 0" | GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
  GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
fi

cannot be used to verify RPM packages: rpm -K on the signed package claims the 69C8876E key is missing. It turns out to be related to the subkey. 

--------------------------------------------
pub   2048R/B8F1ACED 2016-03-11
      Key fingerprint = 7FEB E845 6F19 153B AAFC  2810 4597 2ACD B8F1 ACED
uid                  A Contributor <generous@ceph.com>
sub   2048R/69C8876E 2016-03-11

rpm -K complains that the 69C8876E key is not available. After removing the subkey 69C8876E with gpg --edit-key and signing the RPM again, rpm -K is happy. This does not make any sense to me and I suspect there is an expert explanation that justify this behavior. The sensible way out seems to create a passwordless key with no subkey to avoid that problem. Do you happen to know how that can be done ?

Cheers

-- 
Loïc Dachary, Artisan Logiciel Libre
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: GPG signing RPM packages : must not have subkeys
  2016-03-15 17:28 GPG signing RPM packages : must not have subkeys Loic Dachary
@ 2016-03-15 19:25 ` Martin Palma
  2016-03-16  7:55   ` Loic Dachary
  0 siblings, 1 reply; 4+ messages in thread
From: Martin Palma @ 2016-03-15 19:25 UTC (permalink / raw)
  To: Loic Dachary; +Cc: Ceph Development

If I remember it right I read somewhere that verification with
sub-keys is not implemented in rpm.

To create a passwordless key with no subkey you can simple leave out
the Subkey-Type and Subkey-Length I think:


KEY="$HOME/.ceph-workbench/release-team-key.asc"
if ! test -f $KEY ; then
  printf "Key-Type: 1\nKey-Length: 2048\nName-Real: Release
Team\nName-Email: contact@ceph.com\nExpire-Date: 0" |
GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
  GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
fi

Can you verify that?

Best,
Martin

On Tue, Mar 15, 2016 at 6:28 PM, Loic Dachary <loic@dachary.org> wrote:
> Hi Martin,
>
> It turns out that the key created by
>
> KEY="$HOME/.ceph-workbench/release-team-key.asc"
> if ! test -f $KEY ; then
>   printf "Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Release Team\nName-Email: contact@ceph.com\nExpire-Date: 0" | GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
>   GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
> fi
>
> cannot be used to verify RPM packages: rpm -K on the signed package claims the 69C8876E key is missing. It turns out to be related to the subkey.
>
> --------------------------------------------
> pub   2048R/B8F1ACED 2016-03-11
>       Key fingerprint = 7FEB E845 6F19 153B AAFC  2810 4597 2ACD B8F1 ACED
> uid                  A Contributor <generous@ceph.com>
> sub   2048R/69C8876E 2016-03-11
>
> rpm -K complains that the 69C8876E key is not available. After removing the subkey 69C8876E with gpg --edit-key and signing the RPM again, rpm -K is happy. This does not make any sense to me and I suspect there is an expert explanation that justify this behavior. The sensible way out seems to create a passwordless key with no subkey to avoid that problem. Do you happen to know how that can be done ?
>
> Cheers
>
> --
> Loïc Dachary, Artisan Logiciel Libre
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: GPG signing RPM packages : must not have subkeys
  2016-03-15 19:25 ` Martin Palma
@ 2016-03-16  7:55   ` Loic Dachary
  2016-03-16  8:10     ` Martin Palma
  0 siblings, 1 reply; 4+ messages in thread
From: Loic Dachary @ 2016-03-16  7:55 UTC (permalink / raw)
  To: Martin Palma; +Cc: Ceph Development

Hi Martin,

It works indeed ! Thanks :-)

Cheers

On 15/03/2016 20:25, Martin Palma wrote:
> If I remember it right I read somewhere that verification with
> sub-keys is not implemented in rpm.
> 
> To create a passwordless key with no subkey you can simple leave out
> the Subkey-Type and Subkey-Length I think:
> 
> 
> KEY="$HOME/.ceph-workbench/release-team-key.asc"
> if ! test -f $KEY ; then
>   printf "Key-Type: 1\nKey-Length: 2048\nName-Real: Release
> Team\nName-Email: contact@ceph.com\nExpire-Date: 0" |
> GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
>   GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
> fi
> 
> Can you verify that?
> 
> Best,
> Martin
> 
> On Tue, Mar 15, 2016 at 6:28 PM, Loic Dachary <loic@dachary.org> wrote:
>> Hi Martin,
>>
>> It turns out that the key created by
>>
>> KEY="$HOME/.ceph-workbench/release-team-key.asc"
>> if ! test -f $KEY ; then
>>   printf "Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Release Team\nName-Email: contact@ceph.com\nExpire-Date: 0" | GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
>>   GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
>> fi
>>
>> cannot be used to verify RPM packages: rpm -K on the signed package claims the 69C8876E key is missing. It turns out to be related to the subkey.
>>
>> --------------------------------------------
>> pub   2048R/B8F1ACED 2016-03-11
>>       Key fingerprint = 7FEB E845 6F19 153B AAFC  2810 4597 2ACD B8F1 ACED
>> uid                  A Contributor <generous@ceph.com>
>> sub   2048R/69C8876E 2016-03-11
>>
>> rpm -K complains that the 69C8876E key is not available. After removing the subkey 69C8876E with gpg --edit-key and signing the RPM again, rpm -K is happy. This does not make any sense to me and I suspect there is an expert explanation that justify this behavior. The sensible way out seems to create a passwordless key with no subkey to avoid that problem. Do you happen to know how that can be done ?
>>
>> Cheers
>>
>> --
>> Loïc Dachary, Artisan Logiciel Libre
> --
> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
> 

-- 
Loïc Dachary, Artisan Logiciel Libre
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: GPG signing RPM packages : must not have subkeys
  2016-03-16  7:55   ` Loic Dachary
@ 2016-03-16  8:10     ` Martin Palma
  0 siblings, 0 replies; 4+ messages in thread
From: Martin Palma @ 2016-03-16  8:10 UTC (permalink / raw)
  To: Loic Dachary; +Cc: Ceph Development

Perfekt!! :-)

On Wed, Mar 16, 2016 at 8:55 AM, Loic Dachary <loic@dachary.org> wrote:
> Hi Martin,
>
> It works indeed ! Thanks :-)
>
> Cheers
>
> On 15/03/2016 20:25, Martin Palma wrote:
>> If I remember it right I read somewhere that verification with
>> sub-keys is not implemented in rpm.
>>
>> To create a passwordless key with no subkey you can simple leave out
>> the Subkey-Type and Subkey-Length I think:
>>
>>
>> KEY="$HOME/.ceph-workbench/release-team-key.asc"
>> if ! test -f $KEY ; then
>>   printf "Key-Type: 1\nKey-Length: 2048\nName-Real: Release
>> Team\nName-Email: contact@ceph.com\nExpire-Date: 0" |
>> GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
>>   GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
>> fi
>>
>> Can you verify that?
>>
>> Best,
>> Martin
>>
>> On Tue, Mar 15, 2016 at 6:28 PM, Loic Dachary <loic@dachary.org> wrote:
>>> Hi Martin,
>>>
>>> It turns out that the key created by
>>>
>>> KEY="$HOME/.ceph-workbench/release-team-key.asc"
>>> if ! test -f $KEY ; then
>>>   printf "Key-Type: 1\nKey-Length: 2048\nSubkey-Type: 1\nSubkey-Length: 2048\nName-Real: Release Team\nName-Email: contact@ceph.com\nExpire-Date: 0" | GNUPGHOME=~/.ceph-workbench gpg --batch --gen-key
>>>   GNUPGHOME=~/.ceph-workbench gpg --export --armor > $KEY
>>> fi
>>>
>>> cannot be used to verify RPM packages: rpm -K on the signed package claims the 69C8876E key is missing. It turns out to be related to the subkey.
>>>
>>> --------------------------------------------
>>> pub   2048R/B8F1ACED 2016-03-11
>>>       Key fingerprint = 7FEB E845 6F19 153B AAFC  2810 4597 2ACD B8F1 ACED
>>> uid                  A Contributor <generous@ceph.com>
>>> sub   2048R/69C8876E 2016-03-11
>>>
>>> rpm -K complains that the 69C8876E key is not available. After removing the subkey 69C8876E with gpg --edit-key and signing the RPM again, rpm -K is happy. This does not make any sense to me and I suspect there is an expert explanation that justify this behavior. The sensible way out seems to create a passwordless key with no subkey to avoid that problem. Do you happen to know how that can be done ?
>>>
>>> Cheers
>>>
>>> --
>>> Loïc Dachary, Artisan Logiciel Libre
>> --
>> To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>>
>
> --
> Loïc Dachary, Artisan Logiciel Libre
--
To unsubscribe from this list: send the line "unsubscribe ceph-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2016-03-16  8:10 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2016-03-15 17:28 GPG signing RPM packages : must not have subkeys Loic Dachary
2016-03-15 19:25 ` Martin Palma
2016-03-16  7:55   ` Loic Dachary
2016-03-16  8:10     ` Martin Palma

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.