Re: BIG problem with Maemo repositories!

Re: BIG problem with Maemo repositories!

RM Bauer
Karma: 554
2012-12-16 23:57 UTC
On Sun, Dec 16, 2012 at 4:51 PM, joerg reisenweber <reisenweber@web.de>wrote:

> So 16. Dezember 2012
> > Hello Maemo Community!
> >
> > We have big problem with repositories. Two months ago GPG key for
> > downloads.maemo.nokia.com expired and Hildon Application Manager
> > refusing to install or reinstall packages from these
> > repositories. Part of downloads.maemo.nokia.com is OTA and OVI
> > Store repository. This means that OVI Store not working anymore
> > and OTA updates (from PR1.1 or PR1.2) to PR1.3.1 not working too.
> >
> > Possible solution could be change expiration of this key, but
> > only owner of private GPG key can do that (so only Nokia).
> >
> > GPG key used for all OTA & Ovi store repositories is:
> >
> > pub 1024D/13FA4ED6 2007-10-05 [expired: 2012-10-03]
> > uid Nokia repository signing key 4v1
> >
> > OVI apt repo:
> > https://downloads.maemo.nokia.com/fremantle1.2/ovi/
> >
> > OTA apt repos:
> > https://downloads.maemo.nokia.com/fremantle/ssu/apps/
> > https://downloads.maemo.nokia.com/fremantle/ssu/mr0
> > https://downloads.maemo.nokia.com/fremantle/ssu/002
> > https://downloads.maemo.nokia.com/fremantle/ssu/003
> > https://downloads.maemo.nokia.com/fremantle/ssu/004
> > https://downloads.maemo.nokia.com/fremantle/ssu/203
> > https://downloads.maemo.nokia.com/fremantle/ssu/204
> > https://downloads.maemo.nokia.com/fremantle/ssu/205
> > https://downloads.maemo.nokia.com/fremantle/ssu/206
> > https://downloads.maemo.nokia.com/fremantle/ssu/207
> > https://downloads.maemo.nokia.com/fremantle/ssu/208
> > https://downloads.maemo.nokia.com/fremantle/ssu/210
> >
> > BCCing council & board about this, because Hildon Application
> > Manager not working without proper gpg signature and non working
> > OVI store and OTA repositories are big problem for N900 users.
>
>
> the more 'interesting' aspect of this problem: it gets *worse* with
> migration/handover of maemo.org to community/board. Since a) it's unclear
> if
> Nokia is planning to continue hosting of those fremantle repos under
> maemo.nokia.com, and b) even if community inherits those repos too, we
> neither
> can keep the URL nor manage the keys since both is explicitly nokia.
>
> /j
> >
>
> Nokia does not plan to continue hosting of any maemo repos. Do those
repos contain 3rd party paid apps? There may be agreements between app
developers and OVI store, but is there any technical reason why we can't
make those repos available at downloads.maemo.org and get our own GPG key?

  •  Reply

Re: BIG problem with Maemo repositories!

Pali Rohár
Karma: 1276
2012-12-17 06:50 UTC
On Sunday 16 December 2012 18:57:03 robert bauer wrote:
> On Sun, Dec 16, 2012 at 4:51 PM, joerg reisenweber
<reisenweber@web.de>wrote:
> > So 16. Dezember 2012
> >
> > > Hello Maemo Community!
> > >
> > > We have big problem with repositories. Two months ago GPG
> > > key for downloads.maemo.nokia.com expired and Hildon
> > > Application Manager refusing to install or reinstall
> > > packages from these
> > > repositories. Part of downloads.maemo.nokia.com is OTA and
> > > OVI
> > > Store repository. This means that OVI Store not working
> > > anymore and OTA updates (from PR1.1 or PR1.2) to PR1.3.1
> > > not working too.
> > >
> > > Possible solution could be change expiration of this key,
> > > but
> > > only owner of private GPG key can do that (so only Nokia).
> > >
> > > GPG key used for all OTA & Ovi store repositories is:
> > >
> > > pub 1024D/13FA4ED6 2007-10-05 [expired: 2012-10-03]
> > > uid Nokia repository signing key 4v1
> > >
> > > OVI apt repo:
> > > https://downloads.maemo.nokia.com/fremantle1.2/ovi/
> > >
> > > OTA apt repos:
> > > https://downloads.maemo.nokia.com/fremantle/ssu/apps/
> > > https://downloads.maemo.nokia.com/fremantle/ssu/mr0
> > > https://downloads.maemo.nokia.com/fremantle/ssu/002
> > > https://downloads.maemo.nokia.com/fremantle/ssu/003
> > > https://downloads.maemo.nokia.com/fremantle/ssu/004
> > > https://downloads.maemo.nokia.com/fremantle/ssu/203
> > > https://downloads.maemo.nokia.com/fremantle/ssu/204
> > > https://downloads.maemo.nokia.com/fremantle/ssu/205
> > > https://downloads.maemo.nokia.com/fremantle/ssu/206
> > > https://downloads.maemo.nokia.com/fremantle/ssu/207
> > > https://downloads.maemo.nokia.com/fremantle/ssu/208
> > > https://downloads.maemo.nokia.com/fremantle/ssu/210
> > >
> > > BCCing council & board about this, because Hildon
> > > Application
> > > Manager not working without proper gpg signature and non
> > > working OVI store and OTA repositories are big problem for
> > > N900 users.>
> > the more 'interesting' aspect of this problem: it gets
> > *worse* with migration/handover of maemo.org to
> > community/board. Since a) it's unclear if
> > Nokia is planning to continue hosting of those fremantle
> > repos under maemo.nokia.com, and b) even if community
> > inherits those repos too, we neither
> > can keep the URL nor manage the keys since both is explicitly
> > nokia.
> >
> > /j
> >
> >
> > Nokia does not plan to continue hosting of any maemo repos.
> > Do those
> repos contain 3rd party paid apps? There may be agreements
> between app developers and OVI store, but is there any
> technical reason why we can't make those repos available at
> downloads.maemo.org and get our own GPG key?

Problem is that if you generate new GPG key and sign with it OVI
store and OTA repos, you must install that GPG key to *every*
N900 device to Hildon Application Manager settings (somewhere in
/usr/share/hildon-application-manager). Without it HAM will
always refuse OTA & OVI repositories, because it has *invalid*
key in configuration...

--
Pali Rohár
pali.rohar@gmail.com
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)

iEYEABECAAYFAlDOwL8ACgkQi/DJPQPkQ1K+WwCeOhkl7kNOZ1vQc25g2gUlA1x/
7boAoIl1BDwAjXS84c0XNOkMinhvKjp5
=55Qf
-----END PGP SIGNATURE-----

  •  Reply

Re: BIG problem with Maemo repositories!

2012-12-17 09:40 UTC
I have informed Nokia about the problem to try to have a short term
solution for the signature expiration.

In any case, a long term solution needs to be planned. As Joerg commented,
even if we can host all files in the future (which is still unclear,
specially for third party binaries), keys and URLs would need to be updated.

In the meantime, backuping is essential.

Regards

2012/12/17 Pali Rohár <pali.rohar@gmail.com>

> On Sunday 16 December 2012 18:57:03 robert bauer wrote:
> > On Sun, Dec 16, 2012 at 4:51 PM, joerg reisenweber
> <reisenweber@web.de>wrote:
> > > So 16. Dezember 2012
> > >
> > > > Hello Maemo Community!
> > > >
> > > > We have big problem with repositories. Two months ago GPG
> > > > key for downloads.maemo.nokia.com expired and Hildon
> > > > Application Manager refusing to install or reinstall
> > > > packages from these
> > > > repositories. Part of downloads.maemo.nokia.com is OTA and
> > > > OVI
> > > > Store repository. This means that OVI Store not working
> > > > anymore and OTA updates (from PR1.1 or PR1.2) to PR1.3.1
> > > > not working too.
> > > >
> > > > Possible solution could be change expiration of this key,
> > > > but
> > > > only owner of private GPG key can do that (so only Nokia).
> > > >
> > > > GPG key used for all OTA & Ovi store repositories is:
> > > >
> > > > pub 1024D/13FA4ED6 2007-10-05 [expired: 2012-10-03]
> > > > uid Nokia repository signing key 4v1
> > > >
> > > > OVI apt repo:
> > > > https://downloads.maemo.nokia.com/fremantle1.2/ovi/
> > > >
> > > > OTA apt repos:
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/apps/
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/mr0
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/002
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/003
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/004
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/203
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/204
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/205
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/206
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/207
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/208
> > > > https://downloads.maemo.nokia.com/fremantle/ssu/210
> > > >
> > > > BCCing council & board about this, because Hildon
> > > > Application
> > > > Manager not working without proper gpg signature and non
> > > > working OVI store and OTA repositories are big problem for
> > > > N900 users.>
> > > the more 'interesting' aspect of this problem: it gets
> > > *worse* with migration/handover of maemo.org to
> > > community/board. Since a) it's unclear if
> > > Nokia is planning to continue hosting of those fremantle
> > > repos under maemo.nokia.com, and b) even if community
> > > inherits those repos too, we neither
> > > can keep the URL nor manage the keys since both is explicitly
> > > nokia.
> > >
> > > /j
> > >
> > >
> > > Nokia does not plan to continue hosting of any maemo repos.
> > > Do those
> > repos contain 3rd party paid apps? There may be agreements
> > between app developers and OVI store, but is there any
> > technical reason why we can't make those repos available at
> > downloads.maemo.org and get our own GPG key?
>
> Problem is that if you generate new GPG key and sign with it OVI
> store and OTA repos, you must install that GPG key to *every*
> N900 device to Hildon Application Manager settings (somewhere in
> /usr/share/hildon-application-manager). Without it HAM will
> always refuse OTA & OVI repositories, because it has *invalid*
> key in configuration...
>
> --
> Pali Rohár
> pali.rohar@gmail.com
>
>


--
Iván Gálvez Junquera

  •  Reply

Re: BIG problem with Maemo repositories!

Kenneth Kasilag

2012-12-17 09:51 UTC
We can ask Nokia to point maemo.nokia.org's DNS records to whatever is set
up in the future - they'll likely oblige, as we'll be taking the problem
off their hands. (Hopefully. If they don't, then the N900 users who don't
browse Maemo.org are in for quite some trouble)

As for the repo signing keys, can we get Nokia to push out an update
(mp-fremantle-pr) signed with *their* keys, and whose purpose it is to
change the APT signing key to Maemo.org's new signing key.

CSSU team and other packagers of alternative mp-fremantle-pr metapackage
can follow suit.

That's how we can get signing keys changed with the least user interaction.

On Mon, Dec 17, 2012 at 5:40 PM, Iván Gálvez Junquera <ivgalvez@gmail.com>wrote:

> I have informed Nokia about the problem to try to have a short term
> solution for the signature expiration.
>
> In any case, a long term solution needs to be planned. As Joerg commented,
> even if we can host all files in the future (which is still unclear,
> specially for third party binaries), keys and URLs would need to be updated.
>
> In the meantime, backuping is essential.
>
> Regards
>
> 2012/12/17 Pali Rohár <pali.rohar@gmail.com>
>
>> On Sunday 16 December 2012 18:57:03 robert bauer wrote:
>> > On Sun, Dec 16, 2012 at 4:51 PM, joerg reisenweber
>> <reisenweber@web.de>wrote:
>> > > So 16. Dezember 2012
>> > >
>> > > > Hello Maemo Community!
>> > > >
>> > > > We have big problem with repositories. Two months ago GPG
>> > > > key for downloads.maemo.nokia.com expired and Hildon
>> > > > Application Manager refusing to install or reinstall
>> > > > packages from these
>> > > > repositories. Part of downloads.maemo.nokia.com is OTA and
>> > > > OVI
>> > > > Store repository. This means that OVI Store not working
>> > > > anymore and OTA updates (from PR1.1 or PR1.2) to PR1.3.1
>> > > > not working too.
>> > > >
>> > > > Possible solution could be change expiration of this key,
>> > > > but
>> > > > only owner of private GPG key can do that (so only Nokia).
>> > > >
>> > > > GPG key used for all OTA & Ovi store repositories is:
>> > > >
>> > > > pub 1024D/13FA4ED6 2007-10-05 [expired: 2012-10-03]
>> > > > uid Nokia repository signing key 4v1
>> > > >
>> > > > OVI apt repo:
>> > > > https://downloads.maemo.nokia.com/fremantle1.2/ovi/
>> > > >
>> > > > OTA apt repos:
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/apps/
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/mr0
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/002
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/003
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/004
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/203
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/204
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/205
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/206
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/207
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/208
>> > > > https://downloads.maemo.nokia.com/fremantle/ssu/210
>> > > >
>> > > > BCCing council & board about this, because Hildon
>> > > > Application
>> > > > Manager not working without proper gpg signature and non
>> > > > working OVI store and OTA repositories are big problem for
>> > > > N900 users.>
>> > > the more 'interesting' aspect of this problem: it gets
>> > > *worse* with migration/handover of maemo.org to
>> > > community/board. Since a) it's unclear if
>> > > Nokia is planning to continue hosting of those fremantle
>> > > repos under maemo.nokia.com, and b) even if community
>> > > inherits those repos too, we neither
>> > > can keep the URL nor manage the keys since both is explicitly
>> > > nokia.
>> > >
>> > > /j
>> > >
>> > >
>> > > Nokia does not plan to continue hosting of any maemo repos.
>> > > Do those
>> > repos contain 3rd party paid apps? There may be agreements
>> > between app developers and OVI store, but is there any
>> > technical reason why we can't make those repos available at
>> > downloads.maemo.org and get our own GPG key?
>>
>> Problem is that if you generate new GPG key and sign with it OVI
>> store and OTA repos, you must install that GPG key to *every*
>> N900 device to Hildon Application Manager settings (somewhere in
>> /usr/share/hildon-application-manager). Without it HAM will
>> always refuse OTA & OVI repositories, because it has *invalid*
>> key in configuration...
>>
>> --
>> Pali Rohár
>> pali.rohar@gmail.com
>>
>>
>
>
> --
> Iván Gálvez Junquera
>
>
>

  •  Reply