← Back to team overview

ubuntu-appstore-developers team mailing list archive

Re: Click package signing on staging

 

On Mon, Aug 18, 2014 at 01:50:57PM -0300, Martin Albisetti wrote:
> On Thu, Aug 14, 2014 at 1:00 PM, Ricardo Kirkner
> <ricardo.kirkner@xxxxxxxxxxxxx> wrote:
> >
> > production:
> > - package signing is enabled
> > - all existing packages have been signed and re-uploaded (except those that
> > were invalid click packages, as those bail out during signature
> > verification)
> 
> The public key for production is the following: http://paste.ubuntu.com/8081267/
 
Hm, something is out of sync here it seems, I just downloaded the
com.ubuntu.music_1.3.568_all.click package via the
lp:~jamestait/+junk/click-support-tools script and when I extract the
_gpgorigin from there I see:
"""
$ gpg --list-packets _gpgorigin 
:signature packet: algo 1, keyid 608FF2D200A0A71F
           version 4, created 1408022661, md5len 0, sigclass 0x00
           digest algo 2, begin of digest a6 9e
           hashed subpkt 2 len 4 (sig created 2014-08-14)
           subpkt 16 len 8 (issuer key ID 608FF2D200A0A71F)
           data: [4095 bits]
"""

But when I download the key from the pastebin above:
"""
$ gpg --list-packets /tmp/click-key
:public key packet:
        version 4, algo 1, created 1407195840, expires 0
        pkey[0]: [2048 bits]
        pkey[1]: [17 bits]
        keyid: 9D7FAC7F5DEEC972
:user ID packet: "Click Package Signing Staging
<root@xxxxxxxxxxxxxxxxxxx>"
:signature packet: algo 1, keyid 9D7FAC7F5DEEC972
...
"""

Help appreciated to get the right pubkey for production :)

Thanks,
 Michael


Follow ups

References