# # spec file for package suse-build-key # # Copyright (c) 2022 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via https://bugs.opensuse.org/ # Name: suse-build-key BuildRequires: gpg Provides: build-key Requires: gpg AutoReqProv: off Summary: The public gpg key for rpm package signature verification License: GPL-2.0-or-later Group: System/Packages Version: 12.0 Release: 0 Source1: dumpsigs # pub 2048R/39DB7C82 2013-01-31 [expires: 2024-09-20] SuSE Package Signing Key # The main package signing key. Source2: gpg-pubkey-39db7c82-5f68629b.asc # pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) # Fallback key if main key gets lost. Source3: gpg-pubkey-50a3dd1c-50f35137.asc # pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key # SLE11 build@suse.de key, 1024 bit Source4: gpg-pubkey-307e3d54-61dc47d0.asc #pub rsa2048/0x8EFE1BC4D4ADE9C3 2017-12-11 [SC] [expires: 2027-12-09] # Key fingerprint = 0EE9 CA43 0050 9E29 17A0 54ED 8EFE 1BC4 D4AD E9C3 #uid SUSE Linux Container Signing Key # used for containers provided by SUSE Source5: build-container-d4ade9c3-5a2e9669.asc # same in PEM, used for cosign Source6: build-container-d4ade9c3-5a2e9669.pem # SUSE supplied PTF (program temporary fixes) are signed by this key. # supplied to be not imported by default # #pub dsa1024/0x6C74CE73B37B98A9 2005-05-11 [SC] [expires: 2026-02-02] # Key fingerprint = FD50 1E9F A5EE 02C0 4138 9355 6C74 CE73 B37B 98A9 #uid SUSE PTF Signing Key #sub elg1024/0x74FB5EEF6647760C 2005-05-11 [E] [expires: 2022-03-14] Source97: suse_ptf_key_old.asc #pub rsa2048/0x46DFA05C6F5DA62B 2022-02-25 [SC] [expires: 2026-02-24] # Key fingerprint = 1604 494D 38DA 2FA7 AA26 97AE 46DF A05C 6F5D A62B #uid SUSE PTF Signing Key Source98: suse_ptf_key.asc # PTF container gpg key #pub rsa2048/0x9F2528FDB76EB97A 2018-04-24 [SC] [expires: 2026-02-24] # Key fingerprint = 9109 9832 523C C4EF 9741 F3A5 9F25 28FD B76E B97A #uid SUSE PTF Container Signing Key Source99: suse_ptf_containerkey.asc #pub rsa4096/0xB205E69BAB2FD922 2020-03-10 [SC] [expires: 2022-03-10] # Key fingerprint = 2BAB 445F B9B4 F0D3 30E4 7CB0 B205 E69B AB2F D922 #uid [ full ] SUSE Security Team #uid [ full ] SUSE Security Team #sub rsa4096/0xA679ED66FD417627 2020-03-10 [E] [expires: 2022-03-10] # Key fingerprint = DB30 DF8E 6E44 CFF8 25E8 C858 A679 ED66 FD41 7627 # Only used for email communication Source100: security_at_suse_de.asc BuildRoot: %{_tmppath}/%{name}-%{version}-build BuildArch: noarch %define keydir %{_prefix}/lib/rpm/gnupg/keys %define containerkeydir %{_prefix}/share/container-keys/ %define pubring usr/lib/rpm/gnupg/pubring.gpg %define susering usr/lib/rpm/gnupg/suse-build-key.gpg PreReq: sh-utils gpg fileutils mktemp %description This package contains the gpg keys that are used to sign the SUSE rpm packages. The keys installed here are not actually used by anything. rpm/zypper use the keys in the rpm db instead. %prep %setup -qcT %build cp %SOURCE4 . cp %SOURCE97 . cp %SOURCE98 . cp %SOURCE99 . cp %SOURCE100 . touch suse-build-key.gpg gpg --no-default-keyring --keyring ./suse-build-key.gpg --import %{SOURCE2} gpg --no-default-keyring --keyring ./suse-build-key.gpg --import %{SOURCE3} %install rm -rf $RPM_BUILD_ROOT mkdir -p $RPM_BUILD_ROOT/usr/lib/rpm/gnupg install suse-build-key.gpg $RPM_BUILD_ROOT/%{susering} install -m 755 %{SOURCE1} $RPM_BUILD_ROOT/usr/lib/rpm/gnupg mkdir keys cd keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg/dumpsigs $RPM_BUILD_ROOT/%{susering} cd .. # also copy the ptf key into the /usr/lib/rpm/gnupg/keys directory, it will however not be default imported. cp %SOURCE98 keys/ cp -a keys $RPM_BUILD_ROOT/usr/lib/rpm/gnupg touch $RPM_BUILD_ROOT/%{pubring} touch $RPM_BUILD_ROOT/%{pubring}~ install -d -m 755 $RPM_BUILD_ROOT%{containerkeydir}/ install -c -m 644 %{SOURCE5} $RPM_BUILD_ROOT%{containerkeydir}/suse-container-key.asc install -c -m 644 %{SOURCE6} $RPM_BUILD_ROOT%{containerkeydir}/suse-container-key.pem %files %defattr(644,root,root) %doc suse_ptf_key.asc suse_ptf_key_old.asc suse_ptf_containerkey.asc security_at_suse_de.asc gpg-pubkey-307e3d54-61dc47d0.asc %attr(755,root,root) %dir /usr/lib/rpm/gnupg %attr(755,root,root) /usr/lib/rpm/gnupg/dumpsigs %attr(755,root,root) %dir %{containerkeydir} /usr/lib/rpm/gnupg/keys %config /%{susering} %ghost /%{pubring} %ghost /%{pubring}~ %{containerkeydir}/suse-container-key.asc %{containerkeydir}/suse-container-key.pem %post if [ ! -f %{pubring} ]; then touch %{pubring} fi echo -n "importing SuSE build key to rpm keyring... " TF=`mktemp /tmp/gpg.XXXXXX` if [ -z "$TF" ]; then echo "suse-build-key::post: cannot make temporary file. Fatal error." exit 20 fi if [ -z "$HOME" ]; then HOME=/root export HOME fi if [ ! -d "$HOME" ]; then mkdir "$HOME" fi gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true # no kidding... gpg won't initialize correctly without being called twice. gpg < /dev/null > /dev/null 2>&1 || true gpg < /dev/null > /dev/null 2>&1 || true gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ --keyring %{susering} --export -a > $TF a="$?" gpg -q --batch --no-options --no-default-keyring --no-permission-warning \ --keyring %{pubring} --import < $TF b="$?" rm -f "$TF" if [ "$a" = 0 -a "$b" = 0 ]; then echo "done." else echo "importing the key from the file %{susering}" echo "returned an error. This should not happen. It may not be possible" echo "to properly verify the authenticity of rpm packages from SuSE sources." echo "The keyring containing the SuSE rpm package signing key can be found" echo "in the root directory of the first CD (DVD) of your SuSE product." exit -1 fi ### import suse package build key to roots gpg keyring if test -f root/.gnupg/pubring.gpg ; then chroot . usr/bin/gpg --export --armor --no-default-keyring \ --keyring %{susering} build@suse.de \ | chroot . usr/bin/gpg --import || true if ! chroot . usr/bin/gpg --list-keys build@suse.de >/dev/null 2>&1 ; then echo "gpg import for build@suse.de failed, please import manually" >&2 fi else cp %{susering} root/.gnupg/pubring.gpg fi chmod 600 root/.gnupg/pubring.gpg %changelog