Problems with signatures on CentOS5

Martín Marqués martin at 2ndquadrant.com
Tue Mar 11 22:54:41 UTC 2014


2014-03-11 17:18 GMT-03:00 Panu Matilainen <pmatilai at laiskiainen.org>:
> On 03/11/2014 09:18 PM, Martín Marqués wrote:
>>
>> I'm recompiling some packages for CentOS (actually CentOS or RHEL) 5
>> and 6, and it's the first time I sign them with gpg. Everything worked
>> fine until I have to install them via yum (worked on EL6 but not on
>> EL5). I've already fixed %__gpg_sign_cmd to use --force-v3-sigs, but I
>> get the same error.
>>
>> The packages are signed with the company's gpg key using:
>>
>> $ rpm --resign *.rpm
>>
>> My .rpmmacros looks like this:
>>
>> %_signature gpg
>> %_gpg_name My Key To Sign
>> %__gpg_sign_cmd %{__gpg} \
>>      gpg --force-v3-sigs --digest-algo=sha1 --batch --no-verbose
>> --no-armor \
>>      --passphrase-fd 3 --no-secmem-warning -u "%{_gpg_name}" \
>>      -sbo %{__signature_filename} %{__plaintext_filename}
>>
>> I did the same procedure for EL5 and EL6 repositories. But only on
>> CentOS 6 rpms get installed with yum, while on CentOS 5 the signature
>> fails, but it's not clear to me in which way.
>>
>>  From yum I get errors like this (key is hidden):
>>
>> error: rpmts_HdrFromFdno: Header V3 RSA/SHA1 signature: BAD, key ID
>> xxxxxxx
>>
>> Checking on the packages downloaded I get similar errors:
>>
>> $ rpm --checksig MyRPMPackage-0.0.1-1.el5.x86_64.rpm
>> MyRPMPackage-0.0.1-1.el5.x86_64.rpm: RSA sha1 MD5 PGP md5 NOT OK
>>
>> What am I doing wrong here?
>
>
> Probably nothing, technically speaking. Its just that support for RSA
> signatures is hopelessly buggy in rpm 4.4.x. Key larger than 1024bit is one
> possible cause of the problem.
>
> Me, I wouldn't bother fighting it. DSA signatures are far more hasslefree on
> that version.

Switched to DSA (I created a subkey of the original) and now I get:

error: Unsupported PGP signature

What does that mean? Did I miss something when creating the subkey?

-- 
Martín Marqués http://www.2ndQuadrant.com/
PostgreSQL Development, 24x7 Support, Training & Services


More information about the Rpm-list mailing list