Page MenuHomePhorge

Recent Kolab 16 packages are signed with wrong/new key
Closed, ResolvedPublic

Description

Apparently some packages are signed with the wrong/new key.

rpm -qp /var/cache/yum/x86_64/7/Kolab_16/packages/roundcubemail-plugin-kolab_files-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm
Warnung: /var/cache/yum/x86_64/7/Kolab_16/packages/roundcubemail-plugin-kolab_files-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm: Header V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY

rpm -K --verbose /var/cache/yum/x86_64/7/Kolab_16/packages/libkolabxml-1.2-6.4.el7.kolab_16.x86_64.rpm
/var/cache/yum/x86_64/7/Kolab_16/packages/libkolabxml-1.2-6.4.el7.kolab_16.x86_64.rpm:

Header V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY
SHA1-Kurzfassung des Headers:  OK (f14a5f1689cb333a3c5c416ab38a879dfc92c919)
V3 RSA/SHA1 Signature, Schlüssel-ID 0038d0db: NOKEY
MD5-Kurzfassung:  OK (40553cc4a20d1e18132dc69ca7baeff9)

The older packages are signed with a different key.
kolab-16.0.1-12.1.el7.kolab_16.x86_64.rpm:

Header V3 RSA/SHA1 Signature, Schlüssel-ID 446d5a45: OK
SHA1-Kurzfassung des Headers:  OK (944a40103a859924923077b5115d46c709b49480)
V3 RSA/SHA1 Signature, Schlüssel-ID 446d5a45: OK
MD5-Kurzfassung:  OK (2750ec596d65edb31583162b62d29fdc)

Details

Ticket Type
Task

Event Timeline

Preventing updates:

warning: /var/cache/yum/Kolab_16/packages/roundcubemail-plugin-kolab_2fa-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID 0038d0db: NOKEY

Public key for roundcubemail-plugin-kolab_2fa-assets-3.3.6-2.3.el7.kolab_16.noarch.rpm is not installed
ralf raised the priority of this task from 40 to High.
sicherha renamed this task from Recent Kolab 16 CentOS packages are signed with wrong/new key to Recent Kolab 16 packages are signed with wrong/new key.Jun 9 2018, 11:43 AM

On RPM-based distributions, this can be worked around by using the --nogpgcheck flag.
On Debian and derivatives, the signature check can be disabled by marking the repository as [trusted=yes] and removing /var/lib/apt/lists/obs.kolabsys.com_repositories_*.

In either case, I strongly recommend switching the repository URL to https://.

What is the point in signing the packages if the signature cannot be checked? Why don't you publish the new key?

What is the point in signing the packages if the signature cannot be checked? Why don't you publish the new key?

This comment was removed by ralf.
This comment was removed by ralf.
This comment was removed by ralf.

The current signing-key mixup is not intended - it's an artefact from the upgrade of the OBS software that was performed recently. Unfortunately, the upgrade didn't go as smoothly as hoped for. Most of the resulting fallout has already been cleared without anybody even noticing, but the key issue still remains open at the moment.

Sadly, fixing this is not simply a matter of clicking on one button. If I may quote the person in charge, it takes a lot of "research in what the fsck this build system is doing exactly".

This is being worked on, but it's not going to happen over night. Fortunately a workaround exists; see above.

As far as I can tell, the main problem now appears to be resolved. However, the key distributed at https://ssl.kolabsys.com/community.asc is still the old one.

For now, the new key can be downloaded from either of the following URLs:

Please go test and report back.

Hi.
Works nicely. Thanks a lot.

As of today, the following Kolab 16 CentOS_7 packages are signed with 830c2bcf446d5a45, https://obs.kolabsys.com/repositories/Kolab:/16/CentOS_7/repodata/repomd.xml.key :

kolab-schema
kolab-conf
kolab-ldap
kolab-mta
kolab-webclient
kolab-imap
chwala
kolab
kolab-autoconf

All others are signed with a01d0ca80038d0db, https://ssl.kolabsys.com/community.asc.

Can we get them all signed with the same key? Thanks!

Now that we have the GPG key thing in the OBS sorted, perhaps it is time to rebuild all of Kolab:16 indeed, and refresh what is referred to as community.asc.

Going about it now. Patience may be required.

As the 750+ packages are now rebuilding, I'm going to declare this issue as resolved. Please reopen / create a new ticket should some discrepancies persist.

The manticore project didn't seem to get built, so "setup-kolab manticore" (referenced on https://docs.kolab.org/upgrade-guide/kolab-16.html) gives:

2018-08-22 18:54:51,835 pykolab.setup ERROR [21612] Manticore is not installed on this system

As the 750+ packages are now rebuilding, I'm going to declare this issue as resolved. Please reopen / create a new ticket should some discrepancies persist.

I just did a fresh Kolab install on CentOS 7 and got this:

warning: /var/cache/yum/x86_64/7/Kolab_16/packages/pytz-2015.7-2.8.el7.kolab_16.noarch.rpm: Header V3 RSA/SHA1 Signature, key ID 446d5a45: NOKEY


Public key for pytz-2015.7-2.8.el7.kolab_16.noarch.rpm is not installed

UPDATE: I did try to import the newer key:

# rpm --import https://obs.kolabsys.com/repositories/Kolab:/16/CentOS_7/repodata/repomd.xml.key

But I still get the same error on install.

vanmeeuwen moved this task from Backlog to Done on the Engineering & Operations board.

Should be fixed by removing pytz from our repositories.