Discussion:
non-interactive zypper and package keys
(too old to reply)
Roger Oberholtzer
2010-11-12 10:06:56 UTC
Permalink
I am trying to run zypper in a non-interactive script. I have an issue
with keys for repos I add and then use:

New repository or package signing key received:
Key ID: CC7F07489591C39B
Key Name: Application:Geo OBS Project <Application:***@build.opensuse.org>
Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B
Repository: openSUSE BuildService - Application:Geo

Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.

I looked at the man page (the whole thing this time) and do not see
(recognize) an option to tell zypper to accept the keys. It just takes
the default option, which is to reject them. Is there a way yo have
zypper accept them that can be enabled via the command line?
--
Roger Oberholtzer

OPQ Systems / Ramböll RST

Ramböll Sverige AB
Krukmakargatan 21
P.O. Box 17009
SE-104 62 Stockholm, Sweden

Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Marcus Meissner
2010-11-12 11:05:59 UTC
Permalink
Post by Roger Oberholtzer
I am trying to run zypper in a non-interactive script. I have an issue
Key ID: CC7F07489591C39B
Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B
Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see
(recognize) an option to tell zypper to accept the keys. It just takes
the default option, which is to reject them. Is there a way yo have
zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys
If new repository signing key is found, do not ask what
to do;
trust and import it automatically. This option causes
that the
new key is imported also in non-interactive mode, where it
would
otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this
needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only
--no-gpg-checks
Ignore GPG check failures and continue. If a GPG issue occurs when using
this option zypper prints and logs a warning and automatically continues
without interrupting the operation. Use this option with caution, as you
can easily overlook security problems by using it.
Maybe this is useful anyway. The key acceptance will wait for an interactive session.
You should only import the key once and then not use those insecure options.

The "import key once" step can be done non-automated.

Ciao, Marcus
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Carlos E. R.
2010-11-12 13:14:37 UTC
Permalink
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
The --no-gpg-checks seems to have achieved the desired result: I can add
a repo and use it in a script. The repos are added permanently. By using
--no-gpg-checks instead of --gpg-auto-import-keys in my script, the keys
are only accepted in my script. They are not accepted for all time. I
guess that is what you meant by "import key once"?
I think that --no-gpg-checks does just that, not check the gpg signatures.
There is no import of keys, and no checking to see if the package has been
altered.

- --
Cheers,
Carlos E. R.
(from 11.2 x86_64 "Emerald" at Telcontar)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.12 (GNU/Linux)

iEYEARECAAYFAkzdPb4ACgkQtTMYHG2NR9WoewCffG1ZUxDv6CKIC3Ag8eit5KpV
DNkAn02U5+G1IOq9z2vwddJWFtRHD04b
=CoVw
-----END PGP SIGNATURE-----
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Roger Oberholtzer
2010-11-12 11:22:07 UTC
Permalink
Post by Marcus Meissner
Post by Roger Oberholtzer
I am trying to run zypper in a non-interactive script. I have an issue
Key ID: CC7F07489591C39B
Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B
Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see
(recognize) an option to tell zypper to accept the keys. It just takes
the default option, which is to reject them. Is there a way yo have
zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys
If new repository signing key is found, do not ask what
to do;
trust and import it automatically. This option causes
that the
new key is imported also in non-interactive mode, where it
would
otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this
needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only
--no-gpg-checks
Ignore GPG check failures and continue. If a GPG issue occurs when using
this option zypper prints and logs a warning and automatically continues
without interrupting the operation. Use this option with caution, as you
can easily overlook security problems by using it.
Maybe this is useful anyway. The key acceptance will wait for an interactive session.
You should only import the key once and then not use those insecure options.
The "import key once" step can be done non-automated.
The --no-gpg-checks seems to have achieved the desired result: I can add
a repo and use it in a script. The repos are added permanently. By using
--no-gpg-checks instead of --gpg-auto-import-keys in my script, the keys
are only accepted in my script. They are not accepted for all time. I
guess that is what you meant by "import key once"?
--
Roger Oberholtzer

OPQ Systems / Ramböll RST

Ramböll Sverige AB
Krukmakargatan 21
P.O. Box 17009
SE-104 62 Stockholm, Sweden

Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
christian schmitt
2010-11-12 10:15:45 UTC
Permalink
Post by Roger Oberholtzer
I am trying to run zypper in a non-interactive script. I have an issue
Key ID: CC7F07489591C39B
Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B
Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see
(recognize) an option to tell zypper to accept the keys. It just takes
the default option, which is to reject them. Is there a way yo have
zypper accept them that can be enabled via the command line?
Hi,

found this in the man page.

--gpg-auto-import-keys
If new repository signing key is found, do not ask what
to do;
trust and import it automatically. This option causes
that the
new key is imported also in non-interactive mode, where it
would
otherwise got rejected.

But I never used it.

greetings Chris
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Roger Oberholtzer
2010-11-12 10:39:09 UTC
Permalink
Post by Roger Oberholtzer
I am trying to run zypper in a non-interactive script. I have an issue
Key ID: CC7F07489591C39B
Key Fingerprint: 195E211106BC205D2A9C2222CC7F07489591C39B
Repository: openSUSE BuildService - Application:Geo
Do you want to reject the key, trust temporarily, or trust always? [r/t/a/?] (r): r
Warning: Disabling repository 'openSUSE BuildService - Application:Geo' because of the above error.
I looked at the man page (the whole thing this time) and do not see
(recognize) an option to tell zypper to accept the keys. It just takes
the default option, which is to reject them. Is there a way yo have
zypper accept them that can be enabled via the command line?
Hi,
found this in the man page.
--gpg-auto-import-keys
If new repository signing key is found, do not ask what
to do;
trust and import it automatically. This option causes
that the
new key is imported also in non-interactive mode, where it
would
otherwise got rejected.
But I never used it.
That looks like the ticket. However, I should have mentioned that this
needs to run on an out-of-the-box openSUSE 11.2 as well as newer. I only
see this option:

--no-gpg-checks
Ignore GPG check failures and continue. If a GPG issue occurs when using
this option zypper prints and logs a warning and automatically continues
without interrupting the operation. Use this option with caution, as you
can easily overlook security problems by using it.

Maybe this is useful anyway. The key acceptance will wait for an interactive session.
--
Roger Oberholtzer

OPQ Systems / Ramböll RST

Ramböll Sverige AB
Krukmakargatan 21
P.O. Box 17009
SE-104 62 Stockholm, Sweden

Office: Int +46 10-615 60 20
Mobile: Int +46 70-815 1696
--
To unsubscribe, e-mail: opensuse+***@opensuse.org
For additional commands, e-mail: opensuse+***@opensuse.org
Loading...