Freshen the GPG key
Determined to get a "green checkmark" on my github commits, I recently got myself a GPG setup.
Playing around, I noticed two things:
We don't have the software signing GPG public key uploaded to any public PGP servers.
We don't have the GPG public key posted clearly anywhere on our webpages (contrast with opensciencegrid.org/security).
The identity on our public key is OSG Software Team (RPM Signing Key for Koji Packages) <email@example.com>
We should fix all three items. The last one will require a new release of osg-release.
Skip #1 because RPM signing keys are not downloaded from keyservers and we should not use the RPM key for signing anything but RPMs.
The public key is available on both vdt.cs.wisc.edu and repo.opensciencegrid.org; update https://opensciencegrid.org/docs/release/signing/ to add a link to the new key.
The specific steps to take for using the signing key on packages:
Q: Do we want to bump and rebuild 3.6 RPMs that were signed with the old key? (Re-signing an existing RPM built by Koji is not possible with our setup.)
A: Decided not to since we would have to turn pass-throughs into non-pass-throughs in order to bump the release.
You’re cleared to promote but could you create a 3.5 specific ticket for it? Mat is a mind reader
Tested them in containers and they work.
Note that if you have osg-release-3.6-2.osg36 and you try yum update osg-release, it will not work (because the new one is signed with the new key) but if you specify the URL, then it's fine.
I promoted the 3.6 version all the way to release again (since what's in there right now is busted). I moved the promotion request for the 3.5 version to SOFTWARE-4515.
Found the issue. Here's one of our yum repo files:
Last line should be changed to
I'll need to update osg-release again.
Testing it again, looks like fresh installs are broken too (install 3.6 osg-release, try to install a package with a newly signed key) so it's debugging time.
You’re cleared to promote.
The error is curious, what was your order of operations? Install 3.5 osg-release, update to 3.6 osg-release, and try to install a package with a newly signed key?