It looks like the most recent F26AH release (26.120) has GPG verification turned on in the remote config, but the older commits are not signed.
# cat /etc/ostree/remotes.d/fedora-atomic.conf [remote "fedora-atomic"] url=https://kojipkgs.fedoraproject.org/atomic/26/ gpg-verify=true gpgkeypath=/etc/pki/rpm-gpg/RPM-GPG-KEY-fedora-26-primary # rpm-ostree status State: idle Deployments: ● fedora-atomic:fedora/26/x86_64/atomic-host Version: 26.120 (2017-09-05 00:05:09) Commit: 0b0127864022dd6ffad1a183241fbd5482ef5a1642ff3c8751c2e6cae6070b1a GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D # rpm-ostree deploy 26.119 Resolving version '26.119' 1 metadata, 0 content objects fetched; 569 B transferred in 1 seconds error: Commit ec84d8b30ee5de761c19193717de54b2c33fd07e02b51a6b1855815c91f4e81a: GPG verification enabled, but no signatures found (use gpg-verify=false in remote config to disable)
Can we sign the older commits after the fact so users don't run into this?
Yeah. I'll ask @puiterwijk to get these signed.
Metadata Update from @dustymabe: - Issue assigned to puiterwijk - Issue tagged with: infra
ok i tracked down most of the commits that aren't signed. see http://ostree-signed-commit-checker-fooplay.origin.dustymabe.com/
@puiterwijk can you take a look at the above link and sign the commits that say they aren't signed?
Some of these are because robosig wasn't configured to sign them (like in the f27 case). I sent in a patchset for that: https://lists.fedoraproject.org/archives/list/infrastructure@lists.fedoraproject.org/message/3TZMHVJ7QR4CSW5SUJ57QKSZIZZFVF2L/
ok i tracked down most of the commits that aren't signed. see http://ostree-signed-commit-checker-fooplay.origin.dustymabe.com/ @puiterwijk can you take a look at the above link and sign the commits that say they aren't signed?
still waiting on this part ^^
This has been reviewed by patrick and smooge and merged by kevin. so no longer waiting on this part.
this should be fixed now. @miabbott can you confirm? re-open this ticket if issues still persist.
Metadata Update from @dustymabe: - Issue close_status updated to: Fixed - Issue status updated to: Closed (was: Open)
Looks good! Thanks!
# rpm-ostree status State: idle Deployments: ● fedora-atomic:fedora/26/x86_64/atomic-host Version: 26.120 (2017-09-05 00:05:09) Commit: 0b0127864022dd6ffad1a183241fbd5482ef5a1642ff3c8751c2e6cae6070b1a GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D # rpm-ostree deploy 26.119 Resolving version '26.119' 1 metadata, 0 content objects fetched; 569 B transferred in 1 seconds 46 metadata, 54 content objects fetched; 97979 KiB transferred in 37 seconds Copying /etc changes: 24 modified, 0 removed, 69 added Transaction complete; bootconfig swap: yes deployment count change: 1 Downgraded: selinux-policy 3.13.1-260.8.fc26 -> 3.13.1-260.6.fc26 selinux-policy-targeted 3.13.1-260.8.fc26 -> 3.13.1-260.6.fc26 vim-minimal 2:8.0.1030-1.fc26 -> 2:8.0.983-1.fc26 Run "systemctl reboot" to start a reboot # rpm-ostree status State: idle Deployments: fedora-atomic:fedora/26/x86_64/atomic-host Version: 26.119 (2017-09-03 21:47:35) Commit: d792307b3708271c44ae5e30dfea089e15f804dc79c6069248c5f5a9c233afdf GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D ● fedora-atomic:fedora/26/x86_64/atomic-host Version: 26.120 (2017-09-05 00:05:09) Commit: 0b0127864022dd6ffad1a183241fbd5482ef5a1642ff3c8751c2e6cae6070b1a GPGSignature: Valid signature by E641850B77DF435378D1D7E2812A6B4B64DAB85D
Login to comment on this ticket.