Problems with signatures on CentOS5

[Panu Matilainen]

On 03/11/2014 09:18 PM, Martín Marqués wrote:
> I'm recompiling some packages for CentOS (actually CentOS or RHEL) 5
> and 6, and it's the first time I sign them with gpg. Everything worked
> fine until I have to install them via yum (worked on EL6 but not on
> EL5). I've already fixed %__gpg_sign_cmd to use --force-v3-sigs, but I
> get the same error.
>
> The packages are signed with the company's gpg key using:
>
> $ rpm --resign *.rpm
>
> My .rpmmacros looks like this:
>
> %_signature gpg
> %_gpg_name My Key To Sign
> %__gpg_sign_cmd %{__gpg} \
>      gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose --no-armor \
>      --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
>      -sbo %{__signature_filename} %{__plaintext_filename}
>
> I did the same procedure for EL5 and EL6 repositories. But only on
> CentOS 6 rpms get installed with yum, while on CentOS 5 the signature
> fails, but it's not clear to me in which way.
>
>  From yum I get errors like this (key is hidden):
>
> error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: BAD, key ID xxxxxxx
>
> Checking on the packages downloaded I get similar errors:
>
> $ rpm --checksig MyRPMPackage-0.0.1-1.el5.x86_64.rpm
> MyRPMPackage-0.0.1-1.el5.x86_64.rpm: RSA sha1 MD5 PGP md5 NOT OK
>
> What am I doing wrong here?

Probably nothing, technically speaking. Its just that support for RSA 
signatures is hopelessly buggy in rpm 4.4.x. Key larger than 1024bit is 
one possible cause of the problem.

Me, I wouldn't bother fighting it. DSA signatures are far more 
hasslefree on that version.

	- Panu -