[qubes-users] Issues building dom0, "Package rpm-devel is not signed"

Hi all,

(resent here since something seems to block with qubes-devel)

I'm probably missing something in how the build is supposed to work:

Following the build instructions at Qubes ISO Building | Qubes OS,
configuring with ./setup, first with NO_SIGN=1. The build of rpm-dom0-fc25
succeeds, and then the build of linux-dom0-updates-dom0-fc25 fails with:

Downloading Packages:
[SKIPPED] perl-Fedora-VSP-0.001-4.fc25.noarch.rpm: Already downloaded
[SKIPPED] perl-generators-1.10-1.fc25.noarch.rpm: Already downloaded
Package rpm-devel- is not signed

At first I thought that maybe the NO_SIGN=1 case was not being as much used
as the NO_SIGN=0 one, so I went generating a key and configure it as
explained in Qubes Builder | Qubes OS.
Doing that I noted one accuracy (see qubes-builder: fix typo in rpmmacros filename, improve its markup by ydirson · Pull Request #1167 · QubesOS/qubes-doc · GitHub)
which I hopefully circumvented, but that did not help.

I'm not even sure I understand how signatures are supposed to be generated, since
there is this optional "make sign-all" to be run *after* "make qubes": it seems
likely normal that configuring things for the later step does not impact the earlier

Setting VERBOSE=1 and even DEBUG=1 does not seem to help in understanding what exact
step is at fault. I could not find an "understanding how the build system works",
which would greatly help onboarding new devs :slight_smile:

Also retried after setting SIGN_KEY, still same result.

Also retried by copying the example-configs/qubes-os-r4.0.conf instead of
using ./setup, still same result.

I also note some peculiar content in this ./setup-generated conf, eg.
"DIST_DOM0 ?= fc20", when the targeted version correctly seems to be set to fc25.

What did I miss ?

Also, is it really a good thing to have 2 separate pages talking about roughly the
same thing, with /doc/qubes-builder/ telling about NO_SIGN (which we see in templates)
and .rpmmacros, and /doc/qubes-iso-building/ talking about "fully signed build" using
SIGN_KEY (which we don't see in templates) ?

Best regards,