[qubes-users] Issues building dom0, "Package rpm-devel is not signed"

Hi all,

(resent here since something seems to block with qubes-devel)

I'm probably missing something in how the build is supposed to work:

Following the build instructions at Qubes ISO Building | Qubes OS,
configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:

Downloading Packages:
[SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
[SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed

At first I thought that maybe the NO_SIGN=1 case was not being as much used
as the NO_SIGN=0 one, so I went generating a key and configure it as
explained in Qubes Builder | Qubes OS.
Doing that I noted one accuracy (see qubes-builder: fix typo in rpmmacros filename, improve its markup by ydirson · Pull Request #1167 · QubesOS/qubes-doc · GitHub)
which I hopefully circumvented, but that did not help.

I'm not even sure I understand how signatures are supposed to be generated, since
there is this optional "make sign-all" to be run *after* "make qubes": it seems
likely normal that configuring things for the later step does not impact the earlier
one.

Setting VERBOSE=1 and even DEBUG=1 does not seem to help in understanding what exact
step is at fault. I could not find an "understanding how the build system works",
which would greatly help onboarding new devs

Also retried after setting SIGN_KEY, still same result.

Also retried by copying the example-configs/qubes-os-r4.0.conf instead of
using ./setup, still same result.

I also note some peculiar content in this ./setup-generated conf, eg.
"DIST_DOM0 ?= fc20", when the targeted version correctly seems to be set to fc25.

What did I miss ?

Also, is it really a good thing to have 2 separate pages talking about roughly the
same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
SIGN_KEY (which we don't see in templates) ?

Best regards,

ydirson@free.fr:

Hi all,

(resent here since something seems to block with qubes-devel)

I'm probably missing something in how the build is supposed to work:

Following the build instructions at Qubes ISO building | Qubes OS,
configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:

  Downloading Packages:
  [SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
  [SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
  Package rpm-devel-4.14.2.1-5.fc25.x86_64.rpm is not signed

Plugging that error into a search engine suggests adding a "--nogpgcheck" flag to yum to work around it, but it seems odd/suspicious that would be needed if the other packages are passing the signature check. Are you building a 4.0 ISO?

At first I thought that maybe the NO_SIGN=1 case was not being as much used
as the NO_SIGN=0 one, so I went generating a key and configure it as
explained in Qubes builder | Qubes OS.

You should be able to complete the entire build without signing it. The error is saying the downloaded package is not signed, not your build.

Also, is it really a good thing to have 2 separate pages talking about roughly the
same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
SIGN_KEY (which we don't see in templates) ?

Probably not the best, but when I last looked at it I couldn't figure out a way to consolidate them without making it overly cluttered. Please submit a pull request if you have an idea, though.