Skip to content

Erase prior GPG key from rpm #2988 #2989

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 27, 2025
Merged

Erase prior GPG key from rpm #2988 #2989

merged 1 commit into from
May 27, 2025

Conversation

@phillxnet
Copy link
Member

@phillxnet phillxnet commented May 27, 2025

A silent failure of 'rpm --import' to update our expiration extended public key was observed when the prior non-extended key existed within rpmkeys.

Fixes #2988

Resolve by blindly removing known prior keys by Version on every rockstor systemd cascade (rockstor-pre specifically), and moving the rpm --import in-code-private-key from Web-UI activation to the same systemd service. Both command invocations are set to be failure tolerant.

@phillxnet
Erase prior GPG key from rpm rockstor#2988
5197a12 
A silent failure of 'rpm --import' to update our expiration extended
public key was observed when the prior non-extended key existed
within rpmkeys.

Resolve by blindly removing known prior keys by Version on every
rockstor systemd cascade (rockstor-pre specifically), and moving
the `rpm --import in-code-private-key` from Web-UI activation to
the same systemd service. Both command invocations are set to
be failure tolerant.
@phillxnet
Copy link
Member Author

phillxnet commented May 27, 2025

Testing

A source install on Tumbleweed was modified with the patched files. This install had the prior

rpmkeys --list | grep Rockstor
5f043187-5ed2a099: The Rockstor Project (Rockstor Development) <support@rockstor.com> public key
rpm -qi gpg-pubkey-5f043187-5ed2a099

Indicated rpm prior import of the older non-extended key.
This key was then updated via:

curl https://rockstor.com/ROCKSTOR-GPG-KEY > /opt/rockstor/conf/ROCKSTOR-GPG-KEY

and all rockstor service stopped and restarted:

systemctl stop rockstor*
systemctl start rockstor-bootstrap

and the Rockstor key found and examined similarly:

rpmkeys --list | grep Rockstor
5f043187-5ed2a099: The Rockstor Project (Rockstor Development) <support@rockstor.com> public key
rpm -qi gpg-pubkey-5f043187-5ed2a099

In the above example the new key was instantiated under the same 'package' name as the prior, now removed, package.

@phillxnet
Copy link
Member Author

phillxnet commented May 27, 2025

Testing rpm build

A Leap 15.6 host was used with no prior Rockstor public keys:

systemctl stop rockstor*
rpm --erase gpg-pubkey-5f043187

/opt/rockstor/conf/ROCKSTOR-GPG-KEY was confirmed to have the extended key.

systemctl start rockstor-bootstrap.service

A new gpg-pubkey-5f043187 rpm pub-key package version was found to have been installed with the following Version-Revision info:

rpm -qi gpg-pubkey-5f043187
Name        : gpg-pubkey
Version     : 5f043187
Release     : 68331efe

And the Description was confirmed to contain the extended public key.

The same system was reboot to ensure all rockstor services started as expected.

@phillxnet phillxnet merged commit 1655fdb into rockstor:testing May 27, 2025
@phillxnet phillxnet deleted the testing branch May 27, 2025 16:09
This was referenced May 27, 2025
Closed
Merged
@phillxnet phillxnet mentioned this pull request Jun 25, 2025
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@phillxnet