And this time the RPMs were signed properly!
Thanks!
2015-12-25 10:49 GMT+09:00 Hiroaki Nakamura <hnakamur(a)gmail.com>:
Hi.
I checked the value for the Signature header of another rpm I built,
which I can successfully install with yum.
The project pages is
https://copr.fedoraproject.org/coprs/hnakamur/nodejs/
I installed the nodejs rpm with the following command.
```
$ (cd /etc/yum.repos.d && sudo curl -sLO
https://copr.fedoraproject.org/coprs/hnakamur/nodejs/repo/epel-7/hnakamur...)
$ sudo yum -y install nodejs
```
And I check the value for the Signature header.
```
$ rpm -qi nodejs
Name : nodejs
Version : 4.2.4
Release : 1.el7.centos
Architecture: x86_64
Install Date: Fri Dec 25 01:42:38 2015
Group : Development/Libraries
Size : 21159862
License : MIT License
Signature : RSA/SHA1, Fri Dec 25 01:39:27 2015, Key ID 171a73c11efd624f
Source RPM : nodejs-4.2.4-1.el7.centos.src.rpm
Build Date : Fri Dec 25 01:39:02 2015
Build Host : copr-builder-457549204.novalocal
Relocations : /usr
Packager : Kazuhisa Hara <kazuhisya(a)gmail.com>
Vendor : Fedora Project COPR (hnakamur/nodejs)
URL :
https://nodejs.org
Summary : Node.js is a server-side JavaScript environment that
uses an asynchronous event-driven model.
Description :
Node.js is a server-side JavaScript environment that uses an
asynchronous event-driven model.
This allows Node.js to get excellent performance based on the
architectures of many Internet applications.
```
The value of the Signature header is "RSA/SHA1, Fri Dec 25 01:39:27
2015, Key ID 171a73c11efd624f",
which is different from the value of "(none)" for
hn-python2-python-libs as I written in my previous mail.
Why the difference happened?
2015-12-25 1:10 GMT+09:00 Hiroaki Nakamura <hnakamur(a)gmail.com>:
> Hi.
>
> I read the yum source code.
>
> The message 'Package xxx is not signed' is printed at the line 2175 of
> yum/__init__.py.
>
>
http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=yum/__init__.py;h=99039e...
>
> ```
> 2146 ts = self.rpmdb.readOnlyTS()
> 2147 sigresult = rpmUtils.miscutils.checkSig(ts, po.localPkg())
> 2148 localfn = os.path.basename(po.localPkg())
> 2149
> 2150 if sigresult == 0:
> 2151 result = 0
> 2152 msg = ''
> 2153
> 2154 elif sigresult == 1:
> 2155 if hasgpgkey:
> 2156 result = 1
> 2157 else:
> 2158 result = 2
> 2159 msg = _('Public key for %s is not installed') % localfn
> 2160
> 2161 elif sigresult == 2:
> 2162 result = 2
> 2163 msg = _('Problem opening package %s') % localfn
> 2164
> 2165 elif sigresult == 3:
> 2166 if hasgpgkey:
> 2167 result = 1
> 2168 else:
> 2169 result = 2
> 2170 result = 1
> 2171 msg = _('Public key for %s is not trusted') % localfn
> 2172
> 2173 elif sigresult == 4:
> 2174 result = 2
> 2175 msg = _('Package %s is not signed') % localfn
> ```
>
> The case for return value of checkSig is 4 is at the line 88 in
> rpmUtils/miscutils.py.
>
>
http://yum.baseurl.org/gitweb?p=yum.git;a=blob;f=rpmUtils/miscutils.py;h=...
>
> ```
> 61 def checkSig(ts, package):
> 62 """Takes a transaction set and a package, check it's
sigs,
> 63 return 0 if they are all fine
> 64 return 1 if the gpg key can't be found
> 65 return 2 if the header is in someway damaged
> 66 return 3 if the key is not trusted
> 67 return 4 if the pkg is not gpg or pgp signed"""
> 68
> 69 value = 0
> 70 currentflags = ts.setVSFlags(0)
> 71 fdno = os.open(package, os.O_RDONLY)
> 72 try:
> 73 hdr = ts.hdrFromFdno(fdno)
> 74 except rpm.error, e:
> 75 if str(e) == "public key not availaiable":
> 76 value = 1
> 77 if str(e) == "public key not available":
> 78 value = 1
> 79 if str(e) == "public key not trusted":
> 80 value = 3
> 81 if str(e) == "error reading package header":
> 82 value = 2
> 83 else:
> 84 error, siginfo = getSigInfo(hdr)
> 85 if error == 101:
> 86 os.close(fdno)
> 87 del hdr
> 88 value = 4
> 89 else:
> 90 del hdr
> 91
> 92 try:
> 93 os.close(fdno)
> 94 except OSError, e: # if we're not opened, don't scream about it
> 95 pass
> 96
> 97 ts.setVSFlags(currentflags) # put things back like they were before
> 98 return value
> 99
> 100 def getSigInfo(hdr):
> 101 """checks signature from an hdr hand back signature
information and/or
> 102 an error code"""
> 103
> 104 locale.setlocale(locale.LC_ALL, 'C')
> 105 string =
>
'%|DSAHEADER?{%{DSAHEADER:pgpsig}}:{%|RSAHEADER?{%{RSAHEADER:pgpsig}}:{%|SIGGPG?{%{SIGGPG:pgpsig}}:{%|SIGPGP?{%{SIGPGP:pgpsig}}:{(none)}|}|}|}|'
> 106 siginfo = hdr.sprintf(string)
> 107 if siginfo != '(none)':
> 108 error = 0
> 109 sigtype, sigdate, sigid = siginfo.split(',')
> 110 else:
> 111 error = 101
> 112 sigtype = 'MD5'
> 113 sigdate = 'None'
> 114 sigid = 'None'
> 115
> 116 infotuple = (sigtype, sigdate, sigid)
> 117 return error, infotuple
> ```
>
> The case when checkSig returns 4 corresponds to the line 111 above.
>
> I ran rpm -qi to see the rpm information and I found the value of
> 'Signature' field is '(none)'. Is it OK?
>
> ```
> $ rpm -qi -p
/var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm
> Name : hn-python2-python-libs
> Version : 2.7.11
> Release : 3.el7.centos
> Architecture: x86_64
> Install Date: (not installed)
> Group : Applications/System
> Size : 27548758
> License : Python
> Signature : (none)
> Source RPM : hn-python2-python-2.7.11-3.el7.centos.src.rpm
> Build Date : Wed Dec 23 06:45:59 2015
> Build Host : copr-builder-27528630.novalocal
> Relocations : (not relocatable)
> Vendor : Fedora Project COPR (hnakamur/hnscl-python2-python)
> URL :
http://www.python.org/
> Summary : Runtime libraries for Python
> Description :
> This package contains runtime libraries for use by Python:
> - the libpython dynamic library, for use by applications that embed Python as
> a scripting language, and by the main "python" executable
> - the Python standard library
> ```
>
> On the other hand, rpm -K print 'md5 OK' on this rpm.
>
> ```
> $ rpm -K
/var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.c
> entos.x86_64.rpm
>
/var/cache/yum/x86_64/7/hnakamur-hnscl-python2-python/packages/hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm:
> sha1 md5 OK
> ```
>
> Best regards,
> Hiroaki Nakamura
>
>
> 2015-12-23 23:30 GMT+09:00 Hiroaki Nakamura <hnakamur(a)gmail.com>:
>> Hi,
>>
>> 2015-12-23 18:14 GMT+09:00 Patrick Uiterwijk <puiterwijk(a)redhat.com>:
>>> Hi,
>>>
>>> The latest build of your package is correctly signed:
hn-python2-python-test-2.7.11-3.el7.centos.x86_64.rpm: RSA sha1 ((MD5) PGP) md5 NOT OK
(MISSING KEYS: (MD5) PGP#1256a871)
>>
>> Thanks for pointing me out.
>>
>> I installed gpg keys manually with the following commands.
>>
>> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg
>>
https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pu...
>> $ sudo curl -sL -o /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg
>>
https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-py...
>> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg
>> $ sudo rpm --import /etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg
>>
>> And I confirmed python-libs rpm is signed.
>>
>> $ rpm -K hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm
>> hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm: rsa sha1 (md5) pgp md5 OK
>>
>> However I still got the 'is not signed' error with yum install.
>>
>> $ sudo yum install -y -v hn-python2-python
>> Loading "fastestmirror" plugin
>> Config time: 0.008
>> Yum version: 3.4.3
>> ...(snip)...
>> Package hn-python2-python-libs-2.7.11-3.el7.centos.x86_64.rpm is not signed
>> $ echo $?
>> 1
>>
>> I editted my *.repo files to use file:/// url for gpgkey instead of
>> https:// urls, still no luck.
>>
>> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2.repo
>> [hnakamur-hnscl-python2]
>> name=Copr repo for hnscl-python2 owned by hnakamur
>>
baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-py...
>> skip_if_unavailable=True
>> gpgcheck=1
>>
#gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2/pubkey.gpg
>> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2.pubkey.gpg
>> enabled=1
>> enabled_metadata=1
>> $ cat /etc/yum.repos.d/hnakamur-hnscl-python2-python.repo
>> [hnakamur-hnscl-python2-python]
>> name=Copr repo for hnscl-python2-python owned by hnakamur
>>
baseurl=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-py...
>> skip_if_unavailable=True
>> gpgcheck=1
>>
#gpgkey=https://copr-be.cloud.fedoraproject.org/results/hnakamur/hnscl-python2-python/pubkey.gpg
>> gpgkey=file:///etc/pki/rpm-gpg/hnscl-python2-python.pubkey.gpg
>> enabled=1
>> enabled_metadata=1
>>
>> As a workaround, I confirmed I can install my rpms with yum --nogpgcheck option.
>>
>> $ sudo yum install -y --nogpgcheck hn-python2-python
>>
>> However I'd like to install rpm without --nogpgcheck option.
>> Could you give some advice?
>>
>> Best regards,
>> Hiroaki Nakamura
>>
>>
>>>
>>> Please note that the very first build in a COPR is not always signed due to a
bug (or at least, used to be), but any further builds should be signed.
>>>
>>> With kind regards,
>>> Patrick Uiterwijk
>>> Fedora Infra
>>>
>>> ----- Original Message -----
>>>> Hello.
>>>>
>>>> How to make sure rpms to be signed on copr?
>>>>
>>>> I tried to build my Python2 rpm. It was built successfully but is was
>>>> not signed.
>>>>
https://copr.fedoraproject.org/coprs/hnakamur/hnscl-python2-python/
>>>>
>>>> I built other rpms and they are signed.
>>>>
https://copr.fedoraproject.org/coprs/hnakamur/varnish-head/
>>>>
https://copr.fedoraproject.org/coprs/hnakamur/libvmod-header/
>>>>
>>>> I don't why my Python2 rpm was not signed.
>>>> I'd like to know the way to make sure rpms are signed on copr.
>>>>
>>>>
>>>> By the way, thanks for a great service like copr!
>>>> It is very useful!
>>>>
>>>> Best regards,
>>>> Hioraki Nakamura
>>>> _______________________________________________
>>>> copr-devel mailing list
>>>> copr-devel(a)lists.fedorahosted.org
>>>>
https://lists.fedorahosted.org/admin/lists/copr-devel@lists.fedorahosted.org
>>>>
>>> _______________________________________________
>>> copr-devel mailing list
>>> copr-devel(a)lists.fedorahosted.org
>>>
https://lists.fedorahosted.org/admin/lists/copr-devel@lists.fedorahosted.org
>>
>>
>>
>> --
>> Hioraki Nakamura )hnakamur(a)gmail.com)
>
>
>
> --
> Hioraki Nakamura )hnakamur(a)gmail.com)
--
Hioraki Nakamura )hnakamur(a)gmail.com)