Bug 13022

Summary: Unsigned packages are going out to the mirrors.
Product: Infrastructure Reporter: Dave Hodgins <davidwhodgins>
Component: BuildSystemAssignee: Sysadmin Team <sysadmin-bugs>
Status: RESOLVED FIXED QA Contact:
Severity: critical    
Priority: High CC: eeeemail, ennael1, sysadmin-bugs, tmb
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: CVE:
Status comment:
Attachments: List of 206 unsigned packages on the Mageia 3/4/cauldron repos.

Description Dave Hodgins 2014-03-15 06:04:11 CET 
This has been an ongoing problem with the build system not always signing
packages.

Currently, in the Magiea 3, 4, and cauldron repos there are 206 unsigned
packages (not including the SRPM repos).

The existing unsigned packages need to be signed, and either the build
system fixed, or a separate cron job added to find/sign the unsigned
packages.

I use the following script in my local repo, which excludes SRPMS, Mageia
1 and 2.

#!/bin/bash
cd /var/mnt/a9/Mageia/distrib
find . *.rpm|xargs rpm -K 2>/dev/null| grep -v pgp>/root/unsigned.txt
cat /root/unsigned.txt


Reproducible: 

Steps to Reproduce:
Comment 1 Dave Hodgins 2014-03-15 06:06:06 CET 
Note that this problem is currently blocking a critical security update for
389-ds-base.

Priority: Normal => High
CC: (none) => eeeemail, ennael1
Severity: normal => critical

Comment 2 Dave Hodgins 2014-03-15 06:08:54 CET 
Created attachment 5053 [details]
List of 206 unsigned packages on the Mageia 3/4/cauldron repos.

This is based on my local repo, which was synced from kernel.org about 4 hours
ago.
Comment 3 Thomas Backlund 2014-03-15 10:16:37 CET 
Yeah, signing key expired :/

so youri pushes out unsigned packages at that point.

I've extended key lifetime and will signg packages with missing signatures, starting with the security updatates

CC: (none) => tmb

Comment 4 Thomas Backlund 2014-03-15 12:11:40 CET 
Packages re-signed.

I'm currently running a second check for missing keys

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 5 Dave Hodgins 2014-03-16 01:25:31 CET 
There are still 20 packages in the Mageia 3 debug repos that need to be signed.

./3/i586/media/debug/core/release/checkpolicy-debuginfo-2.1.12-1.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/ptlib-debuginfo-2.10.10-1.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/privoxy-debuginfo-3.0.21-1.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/calligra-debuginfo-2.6.2-1.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/icewm-debuginfo-1.3.7-10.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/qt-gstreamer-debuginfo-0.10.2-3.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/xmoto-debuginfo-0.5.10-4.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/gsettings-desktop-schemas-debuginfo-3.6.1-6.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/gambas3-debuginfo-3.4.0-3.mga3.i586.rpm: sha1 md5 OK
./3/i586/media/debug/core/release/crmsh-debuginfo-1.2.5-2.mga3.i586.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/qt-gstreamer-debuginfo-0.10.2-3.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/ptlib-debuginfo-2.10.10-1.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/calligra-debuginfo-2.6.2-1.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/gsettings-desktop-schemas-debuginfo-3.6.1-6.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/crmsh-debuginfo-1.2.5-2.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/checkpolicy-debuginfo-2.1.12-1.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/xmoto-debuginfo-0.5.10-4.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/privoxy-debuginfo-3.0.21-1.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/icewm-debuginfo-1.3.7-10.mga3.x86_64.rpm: sha1 md5 OK
./3/x86_64/media/debug/core/release/gambas3-debuginfo-3.4.0-3.mga3.x86_64.rpm: sha1 md5 OK

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 6 Thomas Backlund 2014-03-16 16:55:47 CET 
Yeah, as stated in comment 4 I foceused on updates first.

I started a second /distrib wide check yesterday, but forgot to run it under screen, so it stopped when I lost network connection.

I reststarted the check today and have now fixed all missing signatures in the whole distrib tree, including infra tree.

I'll look into adding key checks to xymon so it notifies us when key will start to expire.

we should also fix youri to stop uploads when signing fails.

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 7 Dave Hodgins 2014-03-18 23:52:39 CET 
Either there is still a problem with the signing of packages, or simply
signing them on the main mirror does not get them updated on other mirrors.

kdepimlibs4-core-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kdepimlibs4-devel-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-imap-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-ldap-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-mbox-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-nntp-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-pop3-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-sieve-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
kio4-smtp-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-calendar4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-contact4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-kabc4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-kcal4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-kde4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-kmime4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi-notes4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64akonadi_socialutils4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64gpgme++2-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kabc4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kabc_file_core4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kalarmcal2-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kblog4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kcal4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kcalcore4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kcalutils4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kimap4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kldap4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kmbox4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kmime4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kontactinterface4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kpimidentities4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kpimtextedit4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kpimutils4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kresources4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64ktnef4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64kxmlrpcclient4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64mailtransport4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64microblog4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64nepomukcleaner4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64nepomukcore4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64qgpgme1-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
lib64syndication4-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
nepomuk-core-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))
nepomuk-core-devel-4.11.5-1.mga4.x86_64.rpm: Missing signature (OK ((none)))

Status: RESOLVED => REOPENED
Resolution: FIXED => (none)

Comment 8 Thomas Backlund 2014-03-20 19:08:12 CET 
Can you check your mirroring ?

I cant find any missing signature on primary mirror or my local mirror, so closing for now

Status: REOPENED => RESOLVED
Resolution: (none) => FIXED

Comment 9 Dave Hodgins 2014-03-20 20:22:21 CET 
Figured it out. I had to run urpmi --clean to get the signed versions
copied from my local repo.  Thanks!