The openSuSE guys built a nice selfservice Linux package construction solution, which I believe was originally named openSuSE Build Service (OBS). Later it was renamed to OpenBuild Service to reflect the capability of building packages for more distros than just openSuSE.
To protect the each Linux distribution community, the creators of each package management solution thought about signing the repository contents and packages with GPG keys. It was very inteligent and very useful as a basic hygienic measure.
Such GPG signature functionality is included in OBS.
DSA-1024 key deprecation
As many other software packaging communities, Ubuntu deprecated DSA-1024 based GPG keys around 2016 which means apt doesn’t accept those keys anymore.
In my case, I created a sub-project for Ubuntu 22.04 packages. Given I already had a parent project with a DSA-1024 key that was inherited by the new sub-project, all the packages were signed by it and later the package manager would complain about the key without too much feedback regarding why.
Usually you would see a message stating missing key, or not accepted cipher suite, or something along the lines. In this case, it was a generic “The following signatures were invalid” message.
Taking a look at the installed public keys, I spotted my repository was using a dsa1024 key, while all the rest used rsa4096.
In the end, the one to blame was the old deprecated key type (my home project was created a long time ago). I couln’t find a way to create a new GPG key in the web UI, either it’s not there or I’m just blind.
We’ll be using the OBS CLI client/tool: osc. From the man page I spotted:
Manage Project Signing Key
osc signkey [--create|--delete|--extend] <PROJECT> osc signkey [--notraverse] <PROJECT>
This command is for managing gpg keys. It shows the public key by default. There is no way to download or upload the private part of a
key by design.
However you can create a new own key. You may want to consider to sign the public key with your own existing key.
If a project has no key, the key from upper level project will be used (e.g. when dropping "KDE:KDE4:Community" key, the one from
"KDE:KDE4" will be used).
WARNING: THE OLD KEY CANNOT BE RESTORED AFTER USING DELETE OR CREATE
osc signkey [ARGS...]
-h, --help show this help message and exit
--sslcert fetch SSL certificate instead of GPG key
don't traverse projects upwards to find key
--delete delete the gpg signing key in this project
--extend extend expiration date of the gpg public key for this
--create create new gpg signing key for this project
On the client, after reimporting the public key, you should see it’s not a dsa1024 anymore.