File uyuni-build-keys.spec of Package uyuni-build-keys
#
# spec file for package uyuni-build-keys
#
# Copyright (c) 2021 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
# upon. The license for this file, and modifications and additions to the
# file, is the same license as for the pristine package itself (unless the
# license for the pristine package is not an Open Source License, in which
# case the license is the MIT License). An "Open Source License" is a
# license that conforms to the Open Source Definition (Version 1.9)
# published by the Open Source Initiative.
# Please submit bugfixes or comments via https://bugs.opensuse.org/
#
%if 0%{?suse_version}
%global wwwdocroot /srv/www/htdocs
%else
%global wwwdocroot %{_var}/www/html
%endif
Name: uyuni-build-keys
BuildRequires: gpg
Requires: (awk or gawk)
Requires: gpg
Provides: susemanager-build-keys
AutoReqProv: off
Summary: The public gpg keys for rpm package signature verification
License: GPL-2.0-or-later
Group: System/Packages
URL: https://www.uyuni-project.org/
Version: 2021.09
Release: 0
# pub 2048R/39DB7C82 2013-01-31 SuSE Package Signing Key <build@suse.de>
# SLE12: The main package signing key.
Source2: gpg-pubkey-39db7c82-5f68629b.asc
# pub 2048R/50A3DD1C 2013-01-14 SuSE Package Signing Key (reserve key) <build@suse.de>
# SLE12 Fallback key if main key gets lost.
Source3: gpg-pubkey-50a3dd1c-50f35137.asc
# pub 1024R/307E3D54 2006-03-21 SuSE Package Signing Key <build@suse.de>
# SLE11 build@suse.de key, 1024 bit
Source4: gpg-pubkey-307e3d54-5aaa90a5.asc
# pub 1024D/9C800ACA 2000-10-19 SuSE Package Signing Key <build@suse.de>
# SLE10 build@suse.de key, 1024 bit
Source5: gpg-pubkey-9c800aca-5aaa90c5.asc
# pub 1024D/0182B964 2008-11-05 Extended Support Package Signing Key (Extended Support Package Signing Key) <extended-build@novell.com>
# EPAM RES build key
Source6: gpg-pubkey-0182b964-4911a584.asc
# pub 2048R/3DBDC284 2008-11-07 openSUSE Project Signing Key <opensuse@opensuse.org>
Source7: gpg-pubkey-3dbdc284-53674dd4.asc
# pub 2048R/0D20833E 2018-06-18 systemsmanagement:Uyuni:Master OBS Project <systemsmanagement:Uyuni:Master@build.opensuse.org>
Source8: gpg-pubkey-0d20833e.asc
# pub rsa4096/C105B9DE 2011-07-03 CentOS-6 Key (CentOS 6 Official Signing Key) <centos-6-key@centos.org>
# CentOS-6 Key
Source9: RPM-GPG-KEY-CentOS-6
# pub rsa4096/F4A80EB5 2014-06-23 CentOS-7 Key (CentOS 7 Official Signing Key) <security@centos.org>
# CentOS-7 Key
Source10: RPM-GPG-KEY-CentOS-7
# pub rsa4096/3B4FE6ACC0B21F32 2012-05-11 Ubuntu Archive Automatic Signing Key (2012) <ftpmaster@ubuntu.com>
# Ubuntu archive key 2012
Source11: ubuntu-archive-2012-3B4FE6ACC0B21F32.asc
# pub rsa4096/871920D1991BC93C 2018-09-17 Ubuntu Archive Automatic Signing Key (2018) <ftpmaster@ubuntu.com>
# Ubuntu archive key 2018
Source12: ubuntu-archive-2018-871920D1991BC93C.asc
# pub rsa2048/72F97B74EC551F03 2010-07-01 Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
# OL6 and OL7
Source13: RPM-GPG-KEY-oracle-ol-6-7
# pub rsa4096/82562EA9AD986DA3 2019-04-09 Oracle OSS group (Open Source Software group) <build@oss.oracle.com>
# OL8
Source14: RPM-GPG-KEY-oracle-ol8
# pub rsa4096/044ADAEE04881839 2019-01-04 Micro Focus Build Service (Contact security@novell.com) <OESBuild@novell.com>
# Micro Focus
Source15: oes-gpg-pubkey-044ADAEE04881839.asc
# pub rsa2048/57DA9A6804A29DB0 2015-07-08 Novell Bangalore BuildService (Contact security@novell.com) <novell-bangalore-build@novell.com>
# old Novell Key
Source16: oes-gpg-pubkey-57DA9A6804A29DB0.asc
# pub rsa4096/05B555B38483C65D 2019-05-03 CentOS (CentOS Official Signing Key) <security@centos.org>
# CentOS8
Source17: RPM-GPG-KEY-CentOS-Official
# pub rsa2048/65176565 2015-05-29 openSUSE:Backports OBS Project <openSUSE:Backports@build.opensuse.org>
# PackageHub
Source18: packagehub-gpg-pubkey-65176565.asc
# pub rsa2048/0x8EFE1BC4D4ADE9C3 2017-12-11 [SC] [expires: 2027-12-09]
# Key fingerprint = 0EE9 CA43 0050 9E29 17A0 54ED 8EFE 1BC4 D4AD E9C3
# uid SUSE Linux Container Signing Key <build-container@suse.de>
# The SUSE Container GPG Key.
Source19: build-container-d4ade9c3-5a2e9669.asc
# pub rsa4096/E0B11894F66AEC98 2017-05-22 [SC] [expires: 2025-05-20]
# Key fingerprint = E1CF 20DD FFE4 B89E 8026 58F1 E0B1 1894 F66A EC98
# uid [ unknown] Debian Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
# sub rsa4096/04EE7237B7D453EC 2017-05-22 [S] [expires: 2025-05-20]
Source20: debian-archive-key-9-04EE7237B7D453EC.asc
# pub rsa4096/EDA0D2388AE22BA9 2017-05-22 [SC] [expires: 2025-05-20]
# Key fingerprint = 6ED6 F5CB 5FA6 FB2F 460A E88E EDA0 D238 8AE2 2BA9
# uid [ unknown] Debian Security Archive Automatic Signing Key (9/stretch) <ftpmaster@debian.org>
# sub rsa4096/AA8E81B4331F7F50 2017-05-22 [S] [expires: 2025-05-20]
Source21: debian-archive-key-9-security-AA8E81B4331F7F50.asc
# pub rsa4096/EF0F382A1A7B6500 2017-05-20 [SC] [expires: 2025-05-18]
# Key fingerprint = 067E 3C45 6BAE 240A CEE8 8F6F EF0F 382A 1A7B 6500
# uid [ unknown] Debian Stable Release Key (9/stretch) <debian-release@lists.debian.org>
Source22: debian-release-9-EF0F382A1A7B6500.asc
# pub rsa4096/DC30D7C23CBBABEE 2019-04-14 [SC] [expires: 2027-04-12]
# Key fingerprint = 80D1 5823 B7FD 1561 F9F7 BCDD DC30 D7C2 3CBB ABEE
# uid [ unknown] Debian Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
# sub rsa4096/648ACFD622F3D138 2019-04-14 [S] [expires: 2027-04-12]
Source23: debian-archive-key-10-648ACFD622F3D138.asc
# pub rsa4096/4DFAB270CAA96DFA 2019-04-14 [SC] [expires: 2027-04-12]
# Key fingerprint = 5E61 B217 265D A980 7A23 C5FF 4DFA B270 CAA9 6DFA
# uid [ unknown] Debian Security Archive Automatic Signing Key (10/buster) <ftpmaster@debian.org>
# sub rsa4096/112695A0E562B32A 2019-04-14 [S] [expires: 2027-04-12]
Source24: debian-archive-key-10-security-112695A0E562B32A.asc
# pub rsa4096/DCC9EFBF77E11517 2019-02-05 [SC] [expires: 2027-02-03]
# Key fingerprint = 6D33 866E DD8F FA41 C014 3AED DCC9 EFBF 77E1 1517
# uid [ unknown] Debian Stable Release Key (10/buster) <debian-release@lists.debian.org>
Source25: debian-release-10-DCC9EFBF77E11517.asc
# pub rsa4096/7638D0442B90D010 2014-11-21 [SC] [expires: 2022-11-19]
# Key fingerprint = 126C 0D24 BD8A 2942 CC7D F8AC 7638 D044 2B90 D010
# uid [ unknown] Debian Archive Automatic Signing Key (8/jessie) <ftpmaster@debian.org>
Source26: debian-archive-key-8-7638D0442B90D010.asc
# pub rsa4096/EFD752E7E232ED8712E7635CEB801C41873141A8 2016-12-13 alicloud7release <alicloud-linux-os@service.aliyun.com>
# Alibaba Cloud Linux 2 (Aliyun Linux)
Source27: RPM-GPG-KEY-ALIYUN
# pub rsa4096/11CF1F95C87F5B1A 2017-06-07 [SC]
# 99E617FE5DB527C0D8BD5F8E11CF1F95C87F5B1A
# uid [ unknown] Amazon Linux <amazon-linux@amazon.com>
Source28: RPM-GPG-KEY-amazon-linux-2
# pub rsa4096/0x3ABB34F8 2021-01-12 [C] [expires: 2024-01-12]
# 5E9B8F5617B5066CE92057C3488FCF7C3ABB34F8
# uid AlmaLinux <packager@almalinux.org>
# sub rsa3072/0xC21AD6EA 2021-01-12 [S] [expires: 2024-01-12]
Source29: RPM-GPG-KEY-AlmaLinux
# pub rsa2048 2020-12-02 [SC] [expires: 2023-02-10]
# 44CA8C74F08D9C47618782DF3C90731ED78C6B69
# uid SUSE:SLE-15-SP3:Update OBS Project <SUSE:SLE-15-SP3:Update@build.opensuse.org>
Source30: gpg-pubkey-d78c6b69-5fc7b9e7.asc
# pub rsa4096 2021-02-14 [SCE]
# 7051C470A929F454CEBE37B715AF5DAC6D745A60
# uid Release Engineering <infrastructure@rockylinux.org>
Source31: RPM-GPG-KEY-rockyofficial
# pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
# AC530D520F2F3269F5E98313A48449044AAD5C5D
# uid [ unknown] Debian Security Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
Source32: debian-archive-key-11-security-A48449044AAD5C5D.asc
# pub rsa4096 2021-01-17 [SC] [expires: 2029-01-15]
# 1F89983E0081FDE018F3CC9673A4F27B8DD47936
# uid [ unknown] Debian Archive Automatic Signing Key (11/bullseye) <ftpmaster@debian.org>
Source33: debian-archive-key-11-73A4F27B8DD47936.asc
# pub rsa4096 2021-02-13 [SC] [expires: 2029-02-11]
# A4285295FC7B1A81600062A9605C66F00D6C9793
# uid [ unknown] Debian Stable Release Key (11/bullseye) <debian-release@lists.debian.org>
Source34: debian-release-11-605C66F00D6C9793.asc
# pub 1024D/B37B98A9 2005-05-11 SUSE PTF Signing Key <support@suse.com>
# SUSE supplied PTF (program temporary fixes) are signed by this key.
# supplied to be not imported by default
Source98: gpg-pubkey-b37b98a9-5aaa951b.asc
BuildRoot: %{_tmppath}/%{name}-%{version}-build
BuildArch: noarch
%define pubring var/lib/spacewalk/gpgdir/pubring.gpg
%define susering %{_prefix}/lib/uyuni/uyuni-build-keys.gpg
PreReq: sh-utils gpg fileutils mktemp
%description
This package contains the gpg keys that are used to sign the
SUSE and opeSUSE rpm packages. The keys installed here are not
actually used by anything. rpm/zypper use the keys in the rpm
db instead.
%package web
Summary: The public gpg keys for bootstrap use
Group: System/Packages
Requires: %{name} = %{version}-%{release}
Provides: susemanager-build-keys-web
%description web
This package contains the gpg keys that are used to sign the
SUSE and openSUSE rpm packages. These keys are installed in
the web enviroment to be used in a bootstrap script.
%prep
%setup -qcT
%build
touch uyuni-build-keys.gpg
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE2}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE3}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE4}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE5}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE6}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE7}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE8}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE9}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE10}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE11}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE12}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE13}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE14}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE15}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE16}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE17}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE18}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE19}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE20}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE21}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE22}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE23}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE24}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE25}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE26}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE27}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE28}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE29}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE30}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE31}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE32}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE33}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE34}
gpg --no-default-keyring --keyring ./uyuni-build-keys.gpg --import %{SOURCE98}
%install
rm -rf $RPM_BUILD_ROOT
mkdir -p $RPM_BUILD_ROOT/%{_prefix}/lib/uyuni/
mkdir -p $RPM_BUILD_ROOT/var/lib/spacewalk/gpgdir
install uyuni-build-keys.gpg $RPM_BUILD_ROOT/%{susering}
touch $RPM_BUILD_ROOT/%{pubring}
touch $RPM_BUILD_ROOT/%{pubring}~
mkdir -p $RPM_BUILD_ROOT%{wwwdocroot}/pub/
install %{SOURCE2} $RPM_BUILD_ROOT%{wwwdocroot}/pub/sle12-gpg-pubkey-39db7c82.key
install %{SOURCE3} $RPM_BUILD_ROOT%{wwwdocroot}/pub/sle12-reserve-gpg-pubkey-50a3dd1c.key
install %{SOURCE4} $RPM_BUILD_ROOT%{wwwdocroot}/pub/sle11-gpg-pubkey-307e3d54.key
install %{SOURCE5} $RPM_BUILD_ROOT%{wwwdocroot}/pub/sle10-gpg-pubkey-9c800aca.key
install %{SOURCE6} $RPM_BUILD_ROOT%{wwwdocroot}/pub/res-gpg-pubkey-0182b964.key
install %{SOURCE7} $RPM_BUILD_ROOT%{wwwdocroot}/pub/opensuse-gpg-pubkey-3dbdc284.key
install %{SOURCE8} $RPM_BUILD_ROOT%{wwwdocroot}/pub/uyuni-gpg-pubkey-0d20833e.key
install %{SOURCE9} $RPM_BUILD_ROOT%{wwwdocroot}/pub/centos6-gpg-pubkey-c105b9de.key
install %{SOURCE10} $RPM_BUILD_ROOT%{wwwdocroot}/pub/centos7-gpg-pubkey-f4a80eb5.key
install %{SOURCE11} $RPM_BUILD_ROOT%{wwwdocroot}/pub/ubuntu-gpg-pubkey-3B4FE6ACC0B21F32.key
install %{SOURCE12} $RPM_BUILD_ROOT%{wwwdocroot}/pub/ubuntu-gpg-pubkey-871920D1991BC93C.key
install %{SOURCE13} $RPM_BUILD_ROOT%{wwwdocroot}/pub/ol67-gpg-pubkey-72F97B74EC551F03.key
install %{SOURCE14} $RPM_BUILD_ROOT%{wwwdocroot}/pub/ol8-gpg-pubkey-82562EA9AD986DA3.key
install %{SOURCE15} $RPM_BUILD_ROOT%{wwwdocroot}/pub/oes-gpg-pubkey-044ADAEE04881839.key
install %{SOURCE16} $RPM_BUILD_ROOT%{wwwdocroot}/pub/oes-gpg-pubkey-57DA9A6804A29DB0.key
install %{SOURCE17} $RPM_BUILD_ROOT%{wwwdocroot}/pub/centos8-gpg-pubkey-05B555B38483C65D.key
install %{SOURCE18} $RPM_BUILD_ROOT%{wwwdocroot}/pub/packagehub-gpg-pubkey-65176565.key
install %{SOURCE19} $RPM_BUILD_ROOT%{wwwdocroot}/pub/sle-container-gpg-pubkey-d4ade9c3.key
install %{SOURCE20} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-AA8E81B4331F7F50.key
install %{SOURCE21} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-AA8E81B4331F7F50.key
install %{SOURCE22} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-EF0F382A1A7B6500.key
install %{SOURCE23} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-648ACFD622F3D138.key
install %{SOURCE24} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-112695A0E562B32A.key
install %{SOURCE25} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-DCC9EFBF77E11517.key
install %{SOURCE26} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-7638D0442B90D010.key
install %{SOURCE27} $RPM_BUILD_ROOT%{wwwdocroot}/pub/aliyunlinux2-gpg-pubkey-EFD752E7E232ED87.key
install %{SOURCE28} $RPM_BUILD_ROOT%{wwwdocroot}/pub/amazonlinux2-gpg-pubkey-8312182E7F8CF5ED.key
install %{SOURCE29} $RPM_BUILD_ROOT%{wwwdocroot}/pub/almalinux8-gpg-pubkey-488FCF7C3ABB34F8.key
install %{SOURCE30} $RPM_BUILD_ROOT%{wwwdocroot}/pub/gpg-pubkey-d78c6b69-5fc7b9e7.key
install %{SOURCE31} $RPM_BUILD_ROOT%{wwwdocroot}/pub/rockylinux8-gpg-pubkey-15AF5DAC6D745A60.key
install %{SOURCE32} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-A48449044AAD5C5D.key
install %{SOURCE33} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-73A4F27B8DD47936.key
install %{SOURCE34} $RPM_BUILD_ROOT%{wwwdocroot}/pub/debian-gpg-pubkey-605C66F00D6C9793.key
install %{SOURCE98} $RPM_BUILD_ROOT%{wwwdocroot}/pub/ptf-gpg-pubkey-b37b98a9.key
%files
%defattr(644,root,root)
%attr(755,root,root) %dir %{_prefix}/lib/uyuni
%attr(755,root,root) %dir /var/lib/spacewalk/
%attr(755,root,root) %dir /var/lib/spacewalk/gpgdir
/%{susering}
%ghost /%{pubring}
%ghost /%{pubring}~
%post
if [ ! -f %{pubring} ]; then
touch %{pubring}
fi
echo -n "importing Uyuni build key to rpm keyring... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
echo "uyuni-build-keys::post: cannot make temporary file. Fatal error."
exit 20
fi
if [ -z "$HOME" ]; then
HOME=/root
export HOME
fi
if [ ! -d "$HOME" ]; then
mkdir "$HOME"
fi
gpg -q --batch --no-options < /dev/null > /dev/null 2>&1 || true
# no kidding... gpg won't initialize correctly without being called twice.
gpg < /dev/null > /dev/null 2>&1 || true
gpg < /dev/null > /dev/null 2>&1 || true
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
--keyring %{susering} --export -a > $TF
a="$?"
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
--keyring %{pubring} --import < $TF
b="$?"
rm -f "$TF"
if [ "$a" = 0 -a "$b" = 0 ]; then
echo "done."
else
echo "importing the key from the file %{susering}"
echo "returned an error. This should not happen. It may not be possible"
echo "to properly verify the authenticity of rpm packages from SUSE sources."
echo "The keyring containing the SUSE rpm package signing key can be found"
echo "in the root directory of the first CD (DVD) of your SUSE product."
exit -1
fi
# we need to trust them, otherwise the verify will fail
echo -n "Trusting Uyuni build keys... "
TF=`mktemp /tmp/gpg.XXXXXX`
if [ -z "$TF" ]; then
echo "uyuni-build-keys::post: cannot make temporary file. Fatal error."
exit 20
fi
gpg -q --batch --no-options --no-default-keyring --no-permission-warning \
--keyring %{susering} --list-keys --with-fingerprint \
--with-colons | grep fpr | awk -F: '{printf("%s:6:\n", $10);}' > $TF
c="$?"
gpg -q --batch --no-default-keyring --no-permission-warning \
--homedir /var/lib/spacewalk/gpgdir/ --import-ownertrust < $TF
d="$?"
rm -f "$TF"
if [ "$c" = 0 -a "$d" = 0 ]; then
echo "done."
else
echo "trusting the key from the file %{susering}"
echo "returned an error. This should not happen. It may not be possible"
echo "to properly sync repositories using spacewalk-repo-sync."
exit -1
fi
%files web
%defattr(644,root,root)
%dir %{wwwdocroot}/pub
%{wwwdocroot}/pub/*.key
%changelog
