Issues building dom0, "Package rpm-devel is not signed"
8 views
Skip to first unread message
ydi...@free.fr
Jun 29, 2021, 4:43:26 PM6/29/21
to qubes...@googlegroups.com
Hi all,
(resent here since something seems to block with qubes-devel)
I'm probably missing something in how the build is supposed to work:
Following the build instructions at https://www.qubes-os.org/doc/qubes-iso-building/,
configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:
Downloading Packages:
[SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
[SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed
At first I thought that maybe the NO_SIGN=1 case was not being as much used
as the NO_SIGN=0 one, so I went generating a key and configure it as
explained in https://www.qubes-os.org/doc/qubes-builder/.
Doing that I noted one accuracy (see https://github.com/QubesOS/qubes-doc/pull/1167)
which I hopefully circumvented, but that did not help.
I'm not even sure I understand how signatures are supposed to be generated, since
there is this optional "make sign-all" to be run *after* "make qubes": it seems
likely normal that configuring things for the later step does not impact the earlier
one.
Setting VERBOSE=1 and even DEBUG=1 does not seem to help in understanding what exact
step is at fault. I could not find an "understanding how the build system works",
which would greatly help onboarding new devs :)
Also retried after setting SIGN_KEY, still same result.
Also retried by copying the example-configs/qubes-os-r4.0.conf instead of
using ./setup, still same result.
I also note some peculiar content in this ./setup-generated conf, eg.
"DIST_DOM0 ?= fc20", when the targeted version correctly seems to be set to fc25.
What did I miss ?
Also, is it really a good thing to have 2 separate pages talking about roughly the
same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
SIGN_KEY (which we don't see in templates) ?
Best regards,
--
Yann
(resent here since something seems to block with qubes-devel)
I'm probably missing something in how the build is supposed to work:
Following the build instructions at https://www.qubes-os.org/doc/qubes-iso-building/,
configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:
Downloading Packages:
[SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
[SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed
At first I thought that maybe the NO_SIGN=1 case was not being as much used
as the NO_SIGN=0 one, so I went generating a key and configure it as
explained in https://www.qubes-os.org/doc/qubes-builder/.
Doing that I noted one accuracy (see https://github.com/QubesOS/qubes-doc/pull/1167)
which I hopefully circumvented, but that did not help.
I'm not even sure I understand how signatures are supposed to be generated, since
there is this optional "make sign-all" to be run *after* "make qubes": it seems
likely normal that configuring things for the later step does not impact the earlier
one.
Setting VERBOSE=1 and even DEBUG=1 does not seem to help in understanding what exact
step is at fault. I could not find an "understanding how the build system works",
which would greatly help onboarding new devs :)
Also retried after setting SIGN_KEY, still same result.
Also retried by copying the example-configs/qubes-os-r4.0.conf instead of
using ./setup, still same result.
I also note some peculiar content in this ./setup-generated conf, eg.
"DIST_DOM0 ?= fc20", when the targeted version correctly seems to be set to fc25.
What did I miss ?
Also, is it really a good thing to have 2 separate pages talking about roughly the
same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
SIGN_KEY (which we don't see in templates) ?
Best regards,
--
Yann
awokd
Jul 5, 2021, 4:10:55 PM7/5/21
to qubes...@googlegroups.com
ydi...@free.fr:
"--nogpgcheck" flag to yum to work around it, but it seems
odd/suspicious that would be needed if the other packages are passing
the signature check. Are you building a 4.0 ISO?
error is saying the downloaded package is not signed, not your build.
> Also, is it really a good thing to have 2 separate pages talking about roughly the
> same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
> and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
> SIGN_KEY (which we don't see in templates) ?
Probably not the best, but when I last looked at it I couldn't figure
out a way to consolidate them without making it overly cluttered. Please
submit a pull request if you have an idea, though.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
> Hi all,
>
> (resent here since something seems to block with qubes-devel)
>
> I'm probably missing something in how the build is supposed to work:
>
> Following the build instructions at https://www.qubes-os.org/doc/qubes-iso-building/,
> configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
> succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:
>
> Downloading Packages:
> [SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
> [SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
> Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed
Plugging that error into a search engine suggests adding a
>
> (resent here since something seems to block with qubes-devel)
>
> I'm probably missing something in how the build is supposed to work:
>
> Following the build instructions at https://www.qubes-os.org/doc/qubes-iso-building/,
> configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
> succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:
>
> Downloading Packages:
> [SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
> [SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
> Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed
"--nogpgcheck" flag to yum to work around it, but it seems
odd/suspicious that would be needed if the other packages are passing
the signature check. Are you building a 4.0 ISO?
> At first I thought that maybe the NO_SIGN=1 case was not being as much used
> as the NO_SIGN=0 one, so I went generating a key and configure it as
> explained in https://www.qubes-os.org/doc/qubes-builder/.
You should be able to complete the entire build without signing it. The
> as the NO_SIGN=0 one, so I went generating a key and configure it as
> explained in https://www.qubes-os.org/doc/qubes-builder/.
error is saying the downloaded package is not signed, not your build.
> Also, is it really a good thing to have 2 separate pages talking about roughly the
> same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
> and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
> SIGN_KEY (which we don't see in templates) ?
out a way to consolidate them without making it overly cluttered. Please
submit a pull request if you have an idea, though.
--
- don't top post
Mailing list etiquette:
- trim quoted reply to only relevant portions
- when possible, copy and paste text instead of screenshots
Reply all
Reply to author
Forward
0 new messages