Freshen the GPG key

Description

Determined to get a "green checkmark" on my github commits, I recently got myself a GPG setup.

Playing around, I noticed two things:

  1. We don't have the software signing GPG public key uploaded to any public PGP servers.

  2. We don't have the GPG public key posted clearly anywhere on our webpages (contrast with opensciencegrid.org/security).

  3. The identity on our public key is OSG Software Team (RPM Signing Key for Koji Packages) <vdt-support@opensciencegrid.org>

We should fix all three items. The last one will require a new release of osg-release.

EDIT:

  • Skip #1 because RPM signing keys are not downloaded from keyservers and we should not use the RPM key for signing anything but RPMs.

  • The public key is available on both vdt.cs.wisc.edu and repo.opensciencegrid.org; update https://opensciencegrid.org/docs/release/signing/ to add a link to the new key.

The specific steps to take for using the signing key on packages:

Q: Do we want to bump and rebuild 3.6 RPMs that were signed with the old key? (Re-signing an existing RPM built by Koji is not possible with our setup.)
A: Decided not to since we would have to turn pass-throughs into non-pass-throughs in order to bump the release.

Freshdesk Tickets

None

Activity

Show:
Brian Lin
February 26, 2021, 4:07 PM
Edited

You’re cleared to promote but could you create a 3.5 specific ticket for it? Mat is a mind reader

Mat Selmeci
February 26, 2021, 1:42 AM
Edited

Build

Tag

osg-release-3.5-7.osg35.el7

osg-3.5-el7-development

osg-release-3.5-7.osg35.el8

osg-3.5-el8-development

osg-release-3.6-3.osg36.el7

osg-3.6-el7-development

osg-release-3.6-3.osg36.el8

osg-3.6-el8-development

Tested them in containers and they work.
Note that if you have osg-release-3.6-2.osg36 and you try yum update osg-release, it will not work (because the new one is signed with the new key) but if you specify the URL, then it's fine.

I promoted the 3.6 version all the way to release again (since what's in there right now is busted). I moved the promotion request for the 3.5 version to SOFTWARE-4515.

Mat Selmeci
February 25, 2021, 11:00 PM

Found the issue. Here's one of our yum repo files:

Last line should be changed to

I'll need to update osg-release again.

Mat Selmeci
February 25, 2021, 10:55 PM

Yes.

Testing it again, looks like fresh installs are broken too (install 3.6 osg-release, try to install a package with a newly signed key) so it's debugging time.

Brian Lin
February 25, 2021, 9:04 PM

You’re cleared to promote.

The error is curious, what was your order of operations? Install 3.5 osg-release, update to 3.6 osg-release, and try to install a package with a newly signed key?

Fixed

Assignee

Mat Selmeci

Reporter

Brian Bockelman

Priority

Major

Fix versions

Components