Re: BUG #16948: Packages not signed

Hi Karsten,

Thanks for reporting this.

I think I found the reason why. I changed RPM build process on
RHEL/Fedora, and that affected SLES build processes negatively.

Will fix.

Regards, Devrim

On Tue, 2021-03-30 at 12:43 +0000, PG Bug reporting form wrote:
> The following bug has been logged on the website:
>
> Bug reference:      16948
> Logged by:          Karsten Lenz
> Email address:      karsten.lenz@dbi-services.com
> PostgreSQL version: 13.2
> Operating system:   SLES 15SP2
> Description:       
>
> Now I've got an example with packages either signed by key with ID
> 1f16d2e1442df0f8 (postgres) or not signed at all. It looks like
> packages are
> not signed anymore for the latest versions/releases.
>
> From the Postgresql13 packages for SLES15 on
> https://download.postgresql.org/pub/repos/zypp/13/suse/sles-15.2-x86_64/
>  ,
> not all packages are singed:
>
> SLES15_HOST:/var/cache/zypp/packages/artifactory:psqlsc-sles15-pgdg-
> 13 # rpm
> -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig}
> (b)%{SIGGPG:pgpsig}\n' *.rpm
> pg_qualstats_13-2.0.2-2.sles15 (a)(none) (b)DSA/SHA1, Thu Nov 12
> 02:29:06
> 2020, Key ID 1f16d2e1442df0f8
> pg_stat_kcache_13-2.2.0-1.sles15 (a)(none) (b)(none)
> postgresql13-13.2-1PGDG.sles15 (a)(none) (b)(none)
> postgresql13-contrib-13.2-1PGDG.sles15 (a)(none) (b)(none)
> postgresql13-libs-13.2-1PGDG.sles15 (a)(none) (b)(none)
> postgresql13-server-13.2-1PGDG.sles15 (a)(none) (b)(none)
> repmgr_13-5.2.1-2.sles15 (a)(none) (b)(none)
>
> Whereas for Postgres11, SLES12, all packages were signed (
> https://download.postgresql.org/pub/repos/zypp/11/suse/sles-12.5-x86_64/
> ):
>
> SLES12_HOST:~ # rpm -qa --qf '%{NAME}-%{VERSION}-%{RELEASE}
> (a)%{SIGPGP:pgpsig} (b)%{SIGGPG:pgpsig}\n' | egrep "pg_|postg|repm"
> pg_qualstats11-1.0.6-1.sles12 (a)(none) (b)DSA/SHA1, Fri Nov  9
> 00:23:20
> 2018, Key ID 1f16d2e1442df0f8
> postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug
> 13
> 16:02:50 2020, Key ID 1f16d2e1442df0f8
> repmgr11-5.0.0-1.sles12 (a)(none) (b)DSA/SHA1, Tue Dec 10 11:19:44
> 2019, Key
> ID 1f16d2e1442df0f8
> postgresql11-contrib-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug
> 13
> 16:02:50 2020, Key ID 1f16d2e1442df0f8
> postgresql11-libs-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13
> 16:02:50 2020, Key ID 1f16d2e1442df0f8
> pg_stat_kcache11-2.1.1-1.sles12.1 (a)(none) (b)DSA/SHA1, Thu Oct 18
> 14:47:26
> 2018, Key ID 1f16d2e1442df0f8
> postgresql11-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu Aug 13
> 16:02:50
> 2020, Key ID 1f16d2e1442df0f8
>
> From the Postgresql11 repo for SLES12 SP5 and Postgresql13 for SLES15
> SP2
> I've got downloaded that last few version of postgresql1x-server rpm.
> Older
> packages are signed, but not the latest ones:
>
> rpm -qp --qf '%{NAME}-%{VERSION}-%{RELEASE} (a)%{SIGPGP:pgpsig}
> (b)%{SIGGPG:pgpsig}\n' post*.rpm | sort
> warning: postgresql11-server-11.10-1PGDG.sles12.x86_64.rpm: Header V4
> DSA/SHA1 Signature, key ID 442df0f8: NOKEY
> postgresql11-server-11.10-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 12
> Nov
> 2020 01:37:45 AM CET, Key ID 1f16d2e1442df0f8
> postgresql11-server-11.11-1PGDG.sles12 (a)(none) (b)(none)
> postgresql11-server-11.8-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Fri 15
> May 2020
> 12:50:23 PM CEST, Key ID 1f16d2e1442df0f8
> postgresql11-server-11.9-1PGDG.sles12 (a)(none) (b)DSA/SHA1, Thu 13
> Aug 2020
> 04:02:50 PM CEST, Key ID 1f16d2e1442df0f8
> postgresql13-server-13.0-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Wed 23
> Sep 2020
> 08:41:46 PM CEST, Key ID 1f16d2e1442df0f8
> postgresql13-server-13.1-1PGDG.sles15 (a)(none) (b)DSA/SHA1, Thu 12
> Nov 2020
> 01:18:36 AM CET, Key ID 1f16d2e1442df0f8
>
> Are packages not signed anymore by intention?
>

--
Devrim Gündüz
Open Source Solution Architect, Red Hat Certified Engineer
Twitter: @DevrimGunduz , @DevrimGunduzTR