I have been having a problem signing some RPM packages with a certain
GPG key and I think I have isolated the problem.
Firstly, they key works fine on CentOS-2/RHEL2.1/RH7.2. The key in
question is in fact the key used to sign the CentOS-2 distro. The
version of RPM used in CentOS-2 uses the users gpg keyring to verify RPM
signatures and that all works fine.
When I sign a package for CentOS-3/RHEL3, the signing appears to work
fine, but when the package is verified on an CentOS3/RHEL3 box, the
verification fails.
The reason verification fails is because RPM is now looking in it's
database of keys, and the required key can not be found.
The reason the key can not be found is because rpm --import is filing it
with the wrong %{version}.
The key looks like this to GPG:
pub 1024D/16FF0E46 2004-03-15 CentOS-2 Key <centos-2key@xxxxxxxxxxx>
sig 3 B9911B92 2004-03-15 CentOS Keymaster <centoskey@xxxxxxxxxxx>
sig 3 16FF0E46 2004-03-15 CentOS-2 Key <centos-2key@xxxxxxxxxxx>
sub 2048g/63E158BD 2004-03-15 [expires: 2009-03-14]
sig 16FF0E46 2004-03-15 CentOS-2 Key <centos-2key@xxxxxxxxxxx>
And after importing into rpm, I would expect it to be listed as
gpg-pubkey-16ff0e46-...
but instead it is listed as:
gpg-pubkey-b9911b92-40561f12
It is filed as the "CentOS Keymaster" key.
I have compared this to keys which work, and keys that work all seem to
have the self signature listed before the other signatures.
I though I would get around the problem by creating a new key, but when
I sign the new key with the CentOS-2 key, the problem returns.
In fact, when I import a new key which has been signed by the CentOS-2
key, rpm thinks that it IS the CentOS-2 key:
# wget http://bender.it.swin.edu.au/centos-2/final/i386/RPM-GPG-KEY
# rpm --import RPM-GPG-KEY
# rpm -q gpg-pubkey
(... lines deleted )
gpg-pubkey-b9911b92-40561f12
# wget
http://bender.it.swin.edu.au/centos-2/final/i386/CentOS/RPMS/4Suite-0.11-2.i386.rpm
(just a test package)
# rpm -K 4Suite-0.11-2.i386.rpm
4Suite-0.11-2.i386.rpm: sha1 md5 (GPG) NOT OK (MISSING KEYS:
GPG#16ff0e46) (But this should work... and does on older versions of RPM)
# rpm --erase gpg-pubkey-b9911b92-40561f12
# wget 'http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x4edac2b1'
-O 0x4edac2b1.gpg (get the new key)
# rpm --import 0x4edac2b1.gpg
# rpm -q gpg-pubkey
(... lines deleted )
gpg-pubkey-16ff0e46-42e1a8d1
# rpm -K 4Suite-0.11-2.i386.rpm
4Suite-0.11-2.i386.rpm: sha1 md5 GPG NOT OK
See that the new key has been used instead of the CentOS-2 key and
signature has failed.
Now I could be totally wrong but I think the RPM does not like the
CentOS-2 key, even though gpg does not have a problem with it. It could
be as simple as expecting that the self signature is always first but I
have not even looked at the rpm code.
Also, is it still possible to verify an rpm using gpg like used to be
done in the RH7.2 days?
John.
--
John Newbigin
Computer Systems Officer
Faculty of Information and Communication Technologies
Swinburne University of Technology
Melbourne, Australia
http://www.ict.swin.edu.au/staff/jnewbigin
