GPG Public key changed for gstreamer-related packages

[joselamego]

Public key for the following packages has changed in version 1.14.0 (probably a couple previous versions too), blocking package updates: gst-plugins-bad gst-plugins-base gst-plugins-good gst-plugins-ugly gstreamer gstreamer-vaapi

Please let me know if this is not the right channel to report this and if more information is needed.

[matthewrsj]

Ok, so autospec fails hard in this case because it is considered a critical security issue that should at minimum require research and thought by the packager. The way you get around it is by removing the following line from the .spec file:

# Source0 file verified with key 0xDEADBEEFCAFEBABE (example@email.com)

Autospec will then allow you to import and use the new key.

We may need to provide a more straightforward way to do that.

[fenrus75]

Ideally we get some way where we get a security team or otherwise git commit with JUST the key change, so that we have accountability and tracebility on such changes.

On Fri, Mar 23, 2018 at 10:58 AM, Matthew Johnson notifications@github.com wrote:

Ok, so autospec fails hard in this case because it is considered a critical security issue that should at minimum require research and thought by the packager. The way you get around it is by removing the following line from the .spec file:

Source0 file verified with key 0xDEADBEEFCAFEBABE (example@email.com)

Autospec will then allow you to import and use the new key.

We may need to provide a more straightforward way to do that.

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/clearlinux/autospec/issues/139#issuecomment-375751275, or mute the thread https://github.com/notifications/unsubscribe-auth/ABPeFeCBXipzn9cDZuEZyoh62xCBZJTxks5thTfIgaJpZM4S5Gxn .

[phmccarty]

These gstreamer packages were updated a while back, and the submitter had accepted the new key as valid. So this issue is no longer valid.