[gentoo-dev] A problem with updating my key (again)

[gentoo-dev] A problem with updating my key (again)

[Andrey Grozin]

Hi *,

My key was going to expire soon. So, as usual, I have prolonged it for the 
next year (several days ago). I've sent it to the Gentoo keyserver. I've 
checked that the fingerpring of my key in LDAP coinsides with the 
fingerprint I see locally.

Today I've tried to bump dev-lisp/sbcl to 2.3.5. But I got

remote: *** None of your keys comply with GLEP 63.
remote:     Please update the keys into conformance if you wish to 
continue
remote:     using them. If not, please remove unused keys from LDAP.
remote: FATAL: VREF/proj-gentoo-02-gpg: helper program exit status 256
remote: 53D4ABFA88DD61C4 [Andrey Grozin (science) <grozin@gentoo.org>] [E] 
expire:short Expiration date is too close, please renew (is 2023-06-17 
15:32:53, less than 14 days)
remote: 53D4ABFA88DD61C4:3AFFCE974D34BD8C [Andrey Grozin (science) 
<grozin@gentoo.org>] [E] expire:short Expiration date is too close, please 
renew (is 2023-06-17 15:34:59, less than 14 days)
remote: error: hook declined to update refs/heads/master
To git.gentoo.org:repo/gentoo.git
  ! [remote rejected]           master -> master (hook declined)
error: failed to push some refs to 'git.gentoo.org:repo/gentoo.git'

It seems that the remote git has ignored the fact that my key has been 
prolonged about 3 days ago. One year ago I had the same situation. Is 
there any reliable way to inform this git hook about the prolongation of 
my key?

Every year the same problem :-(

Andrey

Re: [gentoo-dev] A problem with updating my key (again)

[Sam James]

[-- Attachment #1: Type: text/plain, Size: 1656 bytes --]


Andrey Grozin <grozin@woodpecker.gentoo.org> writes:

> Hi *,
>
> My key was going to expire soon. So, as usual, I have prolonged it for
> the next year (several days ago). I've sent it to the Gentoo
> keyserver. I've checked that the fingerpring of my key in LDAP
> coinsides with the fingerprint I see locally.
>
> Today I've tried to bump dev-lisp/sbcl to 2.3.5. But I got
>
> remote: *** None of your keys comply with GLEP 63.
> remote:     Please update the keys into conformance if you wish to
> continue
> remote:     using them. If not, please remove unused keys from LDAP.
> remote: FATAL: VREF/proj-gentoo-02-gpg: helper program exit status 256
> remote: 53D4ABFA88DD61C4 [Andrey Grozin (science) <grozin@gentoo.org>]
> [E] expire:short Expiration date is too close, please renew (is
> 2023-06-17 15:32:53, less than 14 days)
> remote: 53D4ABFA88DD61C4:3AFFCE974D34BD8C [Andrey Grozin (science)
> <grozin@gentoo.org>] [E] expire:short Expiration date is too close,
> please renew (is 2023-06-17 15:34:59, less than 14 days)
> remote: error: hook declined to update refs/heads/master
> To git.gentoo.org:repo/gentoo.git
>  ! [remote rejected]           master -> master (hook declined)
> error: failed to push some refs to 'git.gentoo.org:repo/gentoo.git'
>
> It seems that the remote git has ignored the fact that my key has been
> prolonged about 3 days ago. One year ago I had the same situation. Is
> there any reliable way to inform this git hook about the prolongation
> of my key?
>
> Every year the same problem :-(

You should ping in #gentoo-infra on IRC if you're having trouble, or
file a bug in the Gentoo Infrastructure component.


[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 377 bytes --]

Re: [gentoo-dev] A problem with updating my key (again)

[Robin H. Johnson]

[-- Attachment #1: Type: text/plain, Size: 2339 bytes --]

On Tue, Jun 13, 2023 at 05:00:16PM +0000, Andrey Grozin wrote:
> Hi *,
> 
> My key was going to expire soon. So, as usual, I have prolonged it for the 
> next year (several days ago). I've sent it to the Gentoo keyserver. I've 
> checked that the fingerpring of my key in LDAP coinsides with the 
> fingerprint I see locally.
Hi Andrey,

As I wrote in the direct email to you, your new key is not present on
any of the three keyservers. You said you sent it to the keyserver, but
I don't see it there. Can you please confirm what you used to upload it?

It should be these steps:
https://wiki.gentoo.org/wiki/Project:Infrastructure/Generating_GLEP_63_based_OpenPGP_keys#Submit_the_new_key_to_the_keyserver

I have just verified that the steps work because I had to update the
expiry on my own keys, and the new expiry can be verified:
https://keys.gentoo.org/pks/lookup?search=robbat2&fingerprint=on&hash=on&op=vindex

You can check that it's present shortly after uploading again:
https://keys.gentoo.org/pks/lookup?search=grozin&fingerprint=on&hash=on&op=vindex

If the servers are out of sync, it can be seen as well (they are in sync
as I write this):
https://motmot.keys.gentoo.org/pks/lookup?search=grozin&fingerprint=on&hash=on&op=vindex
https://trogan.keys.gentoo.org/pks/lookup?search=grozin&fingerprint=on&hash=on&op=vindex
https://kookaburra.keys.gentoo.org/pks/lookup?search=grozin&fingerprint=on&hash=on&op=vindex

> It seems that the remote git has ignored the fact that my key has been 
> prolonged about 3 days ago. One year ago I had the same situation. Is 
> there any reliable way to inform this git hook about the prolongation of 
> my key?
After uploading updates to an existing key, you should need to wait at
most 20 minutes: the keyservers are exported to a keyring, that's hosted
on the qa-reports site, and that keyring is fetched frequently by other
hosts that have a need to verify keys.

If you upload a *new* primary key, you need update ldap (yourself) and
then to alert infra to re-sync the gitolite listing of permitted keys
for your user.

-- 
Robin Hugh Johnson
Gentoo Linux: Dev, Infra Lead, Foundation Treasurer
E-Mail   : robbat2@gentoo.org
GnuPG FP : 11ACBA4F 4778E3F6 E4EDF38E B27B944E 34884E85
GnuPG FP : 7D0B3CEB E9B85B1F 825BCECF EE05E6F6 A48F6136

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 1113 bytes --]