Re: Problems with signatures on CentOS5

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


On 03/12/2014 12:54 AM, Martín Marqués wrote:
2014-03-11 17:18 GMT-03:00 Panu Matilainen <pmatilai@xxxxxxxxxxxxxxx>:
On 03/11/2014 09:18 PM, Martín Marqués wrote:

I'm recompiling some packages for CentOS (actually CentOS or RHEL) 5
and 6, and it's the first time I sign them with gpg. Everything worked
fine until I have to install them via yum (worked on EL6 but not on
EL5). I've already fixed %__gpg_sign_cmd to use --force-v3-sigs, but I
get the same error.

The packages are signed with the company's gpg key using:

$ rpm --resign *.rpm

My .rpmmacros looks like this:

%_signature gpg
%_gpg_name My Key To Sign
%__gpg_sign_cmd %{__gpg} \
      gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose
--no-armor \
      --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
      -sbo %{__signature_filename} %{__plaintext_filename}

I did the same procedure for EL5 and EL6 repositories. But only on
CentOS 6 rpms get installed with yum, while on CentOS 5 the signature
fails, but it's not clear to me in which way.

  From yum I get errors like this (key is hidden):

error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: BAD, key ID

Checking on the packages downloaded I get similar errors:

$ rpm --checksig MyRPMPackage-0.0.1-1.el5.x86_64.rpm
MyRPMPackage-0.0.1-1.el5.x86_64.rpm: RSA sha1 MD5 PGP md5 NOT OK

What am I doing wrong here?

Probably nothing, technically speaking. Its just that support for RSA
signatures is hopelessly buggy in rpm 4.4.x. Key larger than 1024bit is one
possible cause of the problem.

Me, I wouldn't bother fighting it. DSA signatures are far more hasslefree on
that version.

Switched to DSA (I created a subkey of the original) and now I get:

error: Unsupported PGP signature

What does that mean? Did I miss something when creating the subkey?

It means gpg signed successfully but rpm doesn't understand the result, which can happen as gpg supports all sorts of things rpm does not. My guess is the key is > 1024 which wont work with DSA either. On RHEL/Centos 5 gpg doesn't even support larger DSA keys, whereas on RHEL-6 2048 is the default.

	- Panu -

Rpm-list mailing list

[Index of Archives]     [RPM Ecosystem]     [Linux Kernel]     [Red Hat Install]     [PAM]     [Red Hat Watch]     [Red Hat Development]     [Red Hat]     [Gimp]     [Yosemite News]     [IETF Discussion]

  Powered by Linux