Recent Kolab 16 packages are signed with wrong/new key
Closed, ResolvedPublic

Description

Apparently some packages are signed with the wrong/new key.

rpm -qp /var/cache/yum/x86_64/7/Kolab_16/packages/roundcubemail-plugin-kolab_files-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm
Warnung: /var/cache/yum/x86_64/7/Kolab_16/packages/roundcubemail-plugin-kolab_files-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm: Header V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY

rpm -K --verbose /var/cache/yum/x86_64/7/Kolab_16/packages/libkolabxml-1.2-6.4.el7.kolab_16.x86_64.rpm
/var/cache/yum/x86_64/7/Kolab_16/packages/libkolabxml-1.2-6.4.el7.kolab_16.x86_64.rpm:

Header V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY
SHA1-Kurzfassung des Headers:  OK (f14a5f1689cb333a3c5c416ab38a879dfc92c919)
V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY
MD5-Kurzfassung:  OK (40553cc4a20d1e18132dc69ca7baeff9)

The older packages are signed with a different key.
kolab-16.0.1-12.1.el7.kolab_16.x86_64.rpm:

Header V3 RSA/SHA1 Signature, Schlüssel-ID 446d5a45: OK
SHA1-Kurzfassung des Headers:  OK (944a40103a859924923077b5115d46c709b49480)
V3 RSA/SHA1 Signature, Schlüssel-ID 446d5a45: OK
MD5-Kurzfassung:  OK (2750ec596d65edb31583162b62d29fdc)

Details

Ticket Type
Task
ralf created this task.May 29 2018, 9:19 AM

Preventing updates:

warning: /var/cache/yum/Kolab_16/packages/roundcubemail-plugin-kolab_2fa-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID 0038d0db: NOKEY

Public key for roundcubemail-plugin-kolab_2fa-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm is not installed
ralf raised the priority of this task from 40 to High.May 30 2018, 2:02 PM
ralf assigned this task to vanmeeuwen.
Whvneo added a subscriber: Whvneo.Jun 3 2018, 3:33 PM
sicherha renamed this task from Recent Kolab 16 CentOS packages are signed with wrong/new key to Recent Kolab 16 packages are signed with wrong/new key.
sicherha added a comment.EditedJun 9 2018, 11:48 AM

On RPM-based distributions, this can be worked around by using the --nogpgcheck flag.
On Debian and derivatives, the signature check can be disabled by marking the repository as [trusted=yes] and removing /var/lib/apt/lists/obs.kolabsys.com_repositories_*.

In either case, I strongly recommend switching the repository URL to https://.

ralf added a comment.Jun 11 2018, 4:25 PM

What is the point in signing the packages if the signature cannot be checked? Why don't you publish the new key?

ralf added a comment.Jun 11 2018, 4:25 PM

What is the point in signing the packages if the signature cannot be checked? Why don't you publish the new key?

ralf added a comment.Jun 11 2018, 4:25 PM
This comment was removed by ralf.
ralf added a comment.Jun 11 2018, 4:25 PM
This comment was removed by ralf.
ralf added a comment.Jun 11 2018, 4:25 PM
This comment was removed by ralf.

The current signing-key mixup is not intended - it's an artefact from the upgrade of the OBS software that was performed recently. Unfortunately, the upgrade didn't go as smoothly as hoped for. Most of the resulting fallout has already been cleared without anybody even noticing, but the key issue still remains open at the moment.

Sadly, fixing this is not simply a matter of clicking on one button. If I may quote the person in charge, it takes a lot of "research in what the fsck this build system is doing exactly".

This is being worked on, but it's not going to happen over night. Fortunately a workaround exists; see above.

As far as I can tell, the main problem now appears to be resolved. However, the key distributed at https://ssl.kolabsys.com/community.asc is still the old one.

For now, the new key can be downloaded from either of the following URLs:

Please go test and report back.

ralf added a comment.Jun 19 2018, 1:08 PM

Hi.
Works nicely. Thanks a lot.

As of today, the following Kolab 16 CentOS_7 packages are signed with 830c2bcf446d5a45, https://obs.kolabsys.com/repositories/Kolab:/16/CentOS_7/repodata/repomd.xml.key :

kolab-schema
kolab-conf
kolab-ldap
kolab-mta
kolab-webclient
kolab-imap
chwala
kolab
kolab-autoconf

All others are signed with a01d0ca80038d0db, https://ssl.kolabsys.com/community.asc.

Can we get them all signed with the same key? Thanks!

Now that we have the GPG key thing in the OBS sorted, perhaps it is time to rebuild all of Kolab:16 indeed, and refresh what is referred to as community.asc.

Going about it now. Patience may be required.

vanmeeuwen closed this task as Resolved.Aug 21 2018, 7:28 PM

As the 750+ packages are now rebuilding, I'm going to declare this issue as resolved. Please reopen / create a new ticket should some discrepancies persist.

The manticore project didn't seem to get built, so "setup-kolab manticore" (referenced on https://docs.kolab.org/upgrade-guide/kolab-16.html) gives:

2018-08-22 18:54:51,835 pykolab.setup ERROR [21612] Manticore is not installed on this system