Project

General

Profile

Bug #12230

rubygem-rdoc-3.12-12.el6.x86_64.rpm signed with revoked key

Added by Dominic Cleal over 3 years ago. Updated 8 months ago.

Status:
Closed
Priority:
Normal
Assignee:
Category:
RPMs
Target version:
Difficulty:
Triaged:
Bugzilla link:
Pull request:
Team Backlog:
Fixed in Releases:
Found in Releases:

Description

In the 1.10 EL6 repo, the rubygem-rdoc package is signed with our revoked (2014) key e775ff07:

$ rpm -qip "http://yum.theforeman.org/releases/1.10/el6/x86_64/rubygem-rdoc-3.12-12.el6.x86_64.rpm" | grep Key
warning: http://yum.theforeman.org/releases/1.10/el6/x86_64/rubygem-rdoc-3.12-12.el6.x86_64.rpm: Header V4 RSA/SHA1 Signature, key ID e775ff07: NOKEY
Signature   : RSA/SHA1, Thu 12 Sep 2013 12:31:54 BST, Key ID 66cf053fe775ff07

1.9 seems unaffected, so something's wrong in the 1.10 signing process.

History

#1 Updated by Dominic Cleal over 3 years ago

Both rhscl packages in both el6/7 are missing signatures too.

How we call foreman-bats for releases (not nightly) needs checking to ensure it follows the code path to install foreman-release instead of a custom repo file with gpgcheck=0.

#2 Updated by Dominic Cleal over 3 years ago

  • Status changed from New to Assigned
  • Assignee set to Dominic Cleal

Dominic Cleal wrote:

Both rhscl packages in both el6/7 are missing signatures too.

Fixed, the paths on Koji had changed due to my renaming of mashes to add a "-dist" extension (due to tag inheritance changes). Docs updated.

#3 Updated by Dominic Cleal over 3 years ago

  • Status changed from Assigned to Closed
  • % Done changed from 0 to 100

The mash config was incorrect, it had strict_keys set to false as I'd copied the file from nightly instead of 1.9 (due to -dist changes), so wasn't verifying the repo was written with the right signed RPM. The GPG key was also incorrect. Docs also updated.

#4 Updated by Dominic Cleal over 3 years ago

Dominic Cleal wrote:

How we call foreman-bats for releases (not nightly) needs checking to ensure it follows the code path to install foreman-release instead of a custom repo file with gpgcheck=0.

https://github.com/theforeman/foreman-bats/pull/88 should ensure we inherit the GPG settings from foreman-release when testing a custom repo.

Also available in: Atom PDF