I have planned outage for copr-keygen on Tuesday. It did not went well, so here is
post-mortem for those interested in.
Copr-keygen machine was Fedora 21 so we wanted to upgrade it to some supported version of
I did the upgrade of dev machine and it went well so I moved to production machine.
Well, after upgrade of production machine to Fedora 23 it did not worked. I was getting
files-are-digests doesn't work with v4 sigs
I compared the dev and producton machines, but they were identical.
I even tried downgrade to Fedora 22 (which is still supported), but it did not worked too.
So I had to dive into source
code. Code of copr-keygen, obs-signd and finally gnupg2 where I find that option
--force-v3-sigs is (since gnupg 2.1)
I took gnupg2 from Fedora21 (latest with 2.0.x version of gnupg), rebuilt it for Fedora 22
and tried. Fortunately it worked.
I put gnupg2 to protected packages on copr-keygen so the situation is stabilized for now.
I notified obs guys about this situation, but I'm afraid that they still use gnupg
2.0.x so we are first who hit this
In the mean time if you are running your own instance of Copr (I'm looking at you
Pavel) be careful when upgrading
We need to solve it somehow in the near future. The options are backport --force-v3-sigs
into gnupg2 (unlikely) or add
support for v4 into obs-sign.
BTW why it worked on dev machine? I'm still not 100% sure, but I suspect the data. Dev
machine is always completly
wiped, including old keys. While old keys are preserved on production machine.
Miroslav Suchy, RHCA
Red Hat, Senior Software Engineer, #brno, #devexp, #fedora-buildsys
Show replies by date