Re: [PATCH 0/1] Fix remote key fetching apt keyring

public inbox for isar-users@googlegroups.com
 help / color / mirror / Atom feed

From: Andreas Reichel <andreas.reichel.ext@siemens.com>
To: Jan Kiszka <jan.kiszka@siemens.com>
Cc: isar-users@googlegroups.com, Baurzhan Ismagulov <ibr@ilbers.de>,
	Maksim Osipov <mosipov@ilbers.de>
Subject: Re: [PATCH 0/1] Fix remote key fetching apt keyring
Date: Wed, 20 Feb 2019 12:47:45 +0100	[thread overview]
Message-ID: <20190220114745.GA760@iiotirae> (raw)
In-Reply-To: <20190220113644.GA29247@iiotirae>

On Wed, Feb 20, 2019 at 12:36:44PM +0100, Andreas Reichel wrote:
> > > 
> > > | I: Running command: debootstrap --arch arm64 --foreign --verbose --variant=minbase --include=locales --components=main,contrib,non-free --keyring /build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg stretch /build/build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/rootfs http://ftp.debian.org/debian
> > > | I: Retrieving InRelease
> > > | I: Retrieving Release
> > > | I: Retrieving Release.gpg
> > > | I: Checking Release signature
> > > | E: Release signed by unknown key (key id EF0F382A1A7B6500)
> > > 
> > > So something additionally must be done. Since I am not an expert on
> > > debian keyring/debootstrap and dpkg signing I will try to find a
> > > solution but maybe somebody has a good idea already?
> > > 
> > 
> > Baurzhan, Maxim, any idea?
> > 
> I foudn a solution, one has to trust the key manually:
> 
> The following snippet can do this:
> 
> gpg --keyring build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg --list-keys --with-colons | \
>     sed -E -n -e 's/^fpr:::::::::([0-9A-F]+):$/\1:6:/p' | \
>     gpg --import-ownertrust --keyring build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg
> 
> I will try and write a patch for this.
> 
Well the idea was good, but there is another problem... obviously the
key debootstrap complains about is NOT the docker key... it is even not
inside the keyring. It seems debootstrap only uses a keyring with only
one key now which cannot work if we want to ADD a repo with a
corresponding key.

----
builder@bdf0e3b84f79:/build$ gpg --keyring build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg --list-keys
build/tmp/work/debian-stretch-arm64/isar-bootstrap-target/apt-keyring.gpg
-------------------------------------------------------------------------
pub   rsa4096 2017-02-22 [SCEA]
      9DC858229FC7DD38854AE2D88D81803C0EBFCD88
uid           [ultimate] Docker Release (CE deb) <docker@docker.com>
sub   rsa4096 2017-02-22 [S]
----

But at least we can see the change to ultimate trust worked ;)

Andreas

> Andreas

> > Jan
> > 
> > -- 
> > Siemens AG, Corporate Technology, CT RDA IOT SES-DE
> > Corporate Competence Center Embedded Linux
> 
> -- 
> Andreas Reichel
> Dipl.-Phys. (Univ.)
> Software Consultant
> 
> Andreas.Reichel@tngtech.com, +49-174-3180074
> TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring
> Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller
> Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082
> 

-- 
Andreas Reichel
Dipl.-Phys. (Univ.)
Software Consultant

Andreas.Reichel@tngtech.com, +49-174-3180074
TNG Technology Consulting GmbH, Betastr. 13a, 85774 Unterfoehring
Geschaeftsfuehrer: Henrik Klagges, Dr. Robert Dahlke, Gerhard Mueller
Sitz: Unterfoehring * Amtsgericht Muenchen * HRB 135082

next prev parent reply	other threads:[~2019-02-20 11:49 UTC|newest]

Thread overview: 12+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-02-15 15:16 Additional debian repo with different pgp key Andreas Reichel
2019-02-19 15:29 ` Henning Schild
2019-02-20 11:21   ` [PATCH 0/1] Fix remote key fetching apt keyring Andreas J. Reichel
2019-02-20 11:21     ` [PATCH 1/1] Fix path to user gpg-keys Andreas J. Reichel
2019-02-20 11:27     ` [PATCH 0/1] Fix remote key fetching apt keyring Jan Kiszka
2019-02-20 11:36       ` Andreas Reichel
2019-02-20 11:47         ` Andreas Reichel [this message]
2019-02-20 11:58       ` Maxim Yu. Osipov
2019-02-20 14:45         ` Andreas Reichel
2019-02-20 12:36     ` Henning Schild
2019-02-20 12:52 ` Additional debian repo with different pgp key Maxim Yu. Osipov
2019-02-26 12:39 ` Andreas Reichel

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190220114745.GA760@iiotirae \
    --to=andreas.reichel.ext@siemens.com \
    --cc=ibr@ilbers.de \
    --cc=isar-users@googlegroups.com \
    --cc=jan.kiszka@siemens.com \
    --cc=mosipov@ilbers.de \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox