Discussion:
gpg: decryption failed: No secret key
Martin Juhl
2014-08-07 10:00:51 UTC
Permalink
Hi All

After setting up a new local instance of the 2.5 OBS, I'm having problems with signing..

I have followed all instructions here: http://en.opensuse.org/openSUSE:Build_Service_Signer

And all I get is:

/srv/obs/jobs/i586/Butik-Server::CentOS_6::live555-d2e8a8d975cd9b9fdeccfa5e942b716f:dir/live555-0-7.1.i686.rpm: sha1 md5 OK
sign failed: sign /srv/obs/jobs/i586/Butik-Server::CentOS_6::live555-d2e8a8d975cd9b9fdeccfa5e942b716f:dir/live555-0-7.1.i686.rpm failed
gpg: decryption failed: No secret key
sign failed: 256 - checking digest
/srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm: sha1 md5 OK
sign failed: sign /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm failed
gpg: decryption failed: No secret key
sign failed: 256 - checking digest
/srv/obs/jobs/i586/Butik-Server::CentOS_6::butik-brl-504844ba383ecea6346b94022008af8d:dir/butik-brl-1.0-31.1.i686.rpm: sha1 md5 OK
sign failed: sign /srv/obs/jobs/i586/Butik-Server::CentOS_6::butik-brl-504844ba383ecea6346b94022008af8d:dir/butik-brl-1.0-31.1.i686.rpm failed


If I try to run the sign commands (sign /srv/obs/jobs/i586/Butik-Server::CentOS_6::butik-brl-504844ba383ecea6346b94022008af8d:dir/butik-brl-1.0-31.1.i686.rpm) as root or as the obsrun user, it works perfectly...

Anyone got a clue what's going on here??

Regards

Martin
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Michael Schroeder
2014-08-07 10:04:05 UTC
Permalink
Post by Martin Juhl
Hi All
After setting up a new local instance of the 2.5 OBS, I'm having problems with signing..
I have followed all instructions here: http://en.opensuse.org/openSUSE:Build_Service_Signer
/srv/obs/jobs/i586/Butik-Server::CentOS_6::live555-d2e8a8d975cd9b9fdeccfa5e942b716f:dir/live555-0-7.1.i686.rpm: sha1 md5 OK
sign failed: sign /srv/obs/jobs/i586/Butik-Server::CentOS_6::live555-d2e8a8d975cd9b9fdeccfa5e942b716f:dir/live555-0-7.1.i686.rpm failed
gpg: decryption failed: No secret key
So why doesn't gpg find a secret key?

The instruction page mentiones some problems with GNUPGHOME at the
end of the page, maybe the secring.gpg was not copied?

what are the results of 'gpg --list-keys' and 'gpg --list-secret-keys'?
(don't forget to set GNUPGHOME)

Cheers,
Michael.
--
Michael Schroeder ***@suse.de
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Michael Schroeder
2014-08-07 10:31:58 UTC
Permalink
I have already symlinked /root/.gnupg -> /srv/obs/gnupg.. so there should be no problems there...
ttprpm01:/srv/obs/log # gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/C7BCE95C 2014-08-06
sub 2048R/9465426D 2014-08-06
sub 1024D/AA31904F 2014-08-06
sub 2048g/07044FF8 2014-08-06
ttprpm01:/srv/obs/log # gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec 2048R/C7BCE95C 2014-08-06
ssb 2048R/9465426D 2014-08-06
ssb 1024D/AA31904F 2014-08-06
ssb 2048g/07044FF8 2014-08-06
The sign daemon also seems to work, and as I wrote I can sign packages by hand (sign <package>)...
Hmm, so did you do an OBS update or something similar? The private keys of
all OBS projects are encrypted with the OBS master key ("***@localhost"),
so if you change that master key the project keys will no longer work.

Cheers,
Michael.
--
Michael Schroeder ***@suse.de
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 11:13:29 UTC
Permalink
I have generated the ***@localhost key myself...

Should that be a problem???

There was no project in the server before I did this, as it's a new installation...

/Martin


----- Original meddelelse -----
Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Cc: "openSUSE build service mailing list" <opensuse-***@opensuse.org>
Sendt: torsdag, 7. august 2014 12:31:58
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
I have already symlinked /root/.gnupg -> /srv/obs/gnupg.. so there should be no problems there...
ttprpm01:/srv/obs/log # gpg --list-keys
/root/.gnupg/pubring.gpg
------------------------
pub 2048R/C7BCE95C 2014-08-06
sub 2048R/9465426D 2014-08-06
sub 1024D/AA31904F 2014-08-06
sub 2048g/07044FF8 2014-08-06
ttprpm01:/srv/obs/log # gpg --list-secret-keys
/root/.gnupg/secring.gpg
------------------------
sec 2048R/C7BCE95C 2014-08-06
ssb 2048R/9465426D 2014-08-06
ssb 1024D/AA31904F 2014-08-06
ssb 2048g/07044FF8 2014-08-06
The sign daemon also seems to work, and as I wrote I can sign packages by hand (sign <package>)...
Hmm, so did you do an OBS update or something similar? The private keys of
all OBS projects are encrypted with the OBS master key ("***@localhost"),
so if you change that master key the project keys will no longer work.

Cheers,
Michael.
--
Michael Schroeder ***@suse.de
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 11:49:31 UTC
Permalink
Hi

Yeah, that was my problem from the start..

If I do a stack trace I can see the that /root/.phrases/***@localhost is open, and even that the password is extracted correctly...

I'm wondering if bs_signer is passing the wrong arguments to either gpg og sign??

Is there any way to get verbose output from bs_signer???

/Martin


----- Original meddelelse -----
Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Sendt: torsdag, 7. august 2014 13:37:52
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
Post by Martin Juhl
Should that be a problem???
No, that's ok.
Post by Martin Juhl
There was no project in the server before I did this, as it's a new installation...
Ok, good to hear. Calling 'sign' manually seems to work, so signing with
the master key is not the problem. You need to find out what exactly is the
operation that fails.

M.
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Andreas Schwab
2014-08-07 12:13:23 UTC
Permalink
Post by Martin Juhl
I'm wondering if bs_signer is passing the wrong arguments to either gpg og sign??
Make sure that there is no newline in the file, lest it becomes part of
the pass phrase.

Andreas.
--
Andreas Schwab, SUSE Labs, ***@suse.de
GPG Key fingerprint = 0196 BAD8 1CE9 1970 F4BE 1748 E4D4 88E3 0EEA B9D7
"And now for something completely different."
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 12:42:39 UTC
Permalink
Ok...

Now we're getting somewhere...

Now I get the complete sign command:

/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm


If I run this command manually:

/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
/srv/obs/upload/signer.32136: No such file or directory


If I remove the -P argument:

/usr/bin/sign -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm


and it signs the file correctly...

The file in /srv/obs/upload/ is probably being generated by bs_signer..

Anyone knows what the "-P" parameter is????

It's not mentioned in the man-pages..

/Martin


----- Original meddelelse -----

Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Sendt: torsdag, 7. august 2014 14:17:52
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
Post by Martin Juhl
Yeah, that was my problem from the start..
I'm wondering if bs_signer is passing the wrong arguments to either gpg og sign??
Is there any way to get verbose output from bs_signer???
Well, you could simply echo the arguments before it calls sign,
i.e. add

print "$BSConfig::sign @signargs @signmode $jobdir/$signfile\n";

before the system() call (around line 423...).

M.
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 12:46:41 UTC
Permalink
If I comment out line 377 in bs_signer:

# push @signargs, '-P', "$uploaddir/signer.$$";

So that the -P option is not added.. then the signer works... or so it seems?????

/Martin


----- Original meddelelse -----
Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Sendt: torsdag, 7. august 2014 14:17:52
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
Post by Martin Juhl
Yeah, that was my problem from the start..
I'm wondering if bs_signer is passing the wrong arguments to either gpg og sign??
Is there any way to get verbose output from bs_signer???
Well, you could simply echo the arguments before it calls sign,
i.e. add

print "$BSConfig::sign @signargs @signmode $jobdir/$signfile\n";

before the system() call (around line 423...).

M.
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Michael Schroeder
2014-08-07 12:50:24 UTC
Permalink
Post by Martin Juhl
Now we're getting somewhere...
/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
/srv/obs/upload/signer.32136: No such file or directory
/usr/bin/sign -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
and it signs the file correctly...
The file in /srv/obs/upload/ is probably being generated by bs_signer..
Anyone knows what the "-P" parameter is????
It's not mentioned in the man-pages..
It's used to specify a private key stored in a project. The "Butik-Server"
project seems to have an signkey that was created with a different master key.

- Due to a bug the "forceprojectkeys" setting defaults to "true". You probably
don't want to force every project to have a key, so add

our $forceprojectkeys = 0;

to /usr/lib/obs/server/BSConfig.pm and restart the source server.

- Run "find /srv/obs/projects -name _signkey" to find out which projects
have a key. All of those are probably bad. Remove them with
osc signkey --delete <project>

Cheers,
Michael.
--
Michael Schroeder ***@suse.de
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 12:59:26 UTC
Permalink
Ahh.. now it makes sense..

Probably leftovers from the migration...

ttprpm01:/usr/lib/obs/server # osc -A https://ttprpm01.ttg.local:443 signkey --delete Butik-Server
Server returned an error: HTTP Error 400: Bad Request
must have a key for signing

Any ideas???

/Martin


----- Original meddelelse -----
Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Cc: opensuse-***@opensuse.org
Sendt: torsdag, 7. august 2014 14:50:24
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
Post by Martin Juhl
Now we're getting somewhere...
/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
/usr/bin/sign -P /srv/obs/upload/signer.32136 -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
/srv/obs/upload/signer.32136: No such file or directory
/usr/bin/sign -S /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/.checksums /srv/obs/jobs/i586/Butik-Server::CentOS_6::imlib2-5abd789cfc11ace94b7ff0fe11864966:dir/imlib2-1.4.4-6.1.i686.rpm
and it signs the file correctly...
The file in /srv/obs/upload/ is probably being generated by bs_signer..
Anyone knows what the "-P" parameter is????
It's not mentioned in the man-pages..
It's used to specify a private key stored in a project. The "Butik-Server"
project seems to have an signkey that was created with a different master key.

- Due to a bug the "forceprojectkeys" setting defaults to "true". You probably
don't want to force every project to have a key, so add

our $forceprojectkeys = 0;

to /usr/lib/obs/server/BSConfig.pm and restart the source server.

- Run "find /srv/obs/projects -name _signkey" to find out which projects
have a key. All of those are probably bad. Remove them with
osc signkey --delete <project>

Cheers,
Michael.
--
Michael Schroeder ***@suse.de
SUSE LINUX Products GmbH, GF Jeff Hawn, HRB 16746 AG Nuernberg
main(_){while(_=~getchar())putchar(~_-1/(~(_|32)/13*2-11)*13);}
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Michael Schroeder
2014-08-07 12:58:18 UTC
Permalink
Post by Martin Juhl
Ahh.. now it makes sense..
Probably leftovers from the migration...
ttprpm01:/usr/lib/obs/server # osc -A https://ttprpm01.ttg.local:443 signkey --delete Butik-Server
Server returned an error: HTTP Error 400: Bad Request
must have a key for signing
Any ideas???
Yeah, that's because of the "forceprojectkeys" setting. Please add

our $forceprojectkeys = 0;

to /usr/lib/obs/server/BSConfig.pm and restart the source server.

M.
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Martin Juhl
2014-08-07 13:15:29 UTC
Permalink
HEUREKA!!!!

It works :).....

Thanks a lot.. just forgot to restart the source server...

/Martin

----- Original meddelelse -----
Fra: "Michael Schroeder" <***@suse.de>
Til: "Martin Juhl" <***@casalogic.dk>
Cc: opensuse-***@opensuse.org
Sendt: torsdag, 7. august 2014 14:58:18
Emne: Re: [opensuse-buildservice] gpg: decryption failed: No secret key
Post by Martin Juhl
Ahh.. now it makes sense..
Probably leftovers from the migration...
ttprpm01:/usr/lib/obs/server # osc -A https://ttprpm01.ttg.local:443 signkey --delete Butik-Server
Server returned an error: HTTP Error 400: Bad Request
must have a key for signing
Any ideas???
Yeah, that's because of the "forceprojectkeys" setting. Please add

our $forceprojectkeys = 0;

to /usr/lib/obs/server/BSConfig.pm and restart the source server.

M.
--
To unsubscribe, e-mail: opensuse-buildservice+***@opensuse.org
To contact the owner, e-mail: opensuse-buildservice+***@opensuse.org
Loading...